Hi, Sorry, I am probably missing something very basic in the way how the vault should work for services...
So my task is simple: let's say I want to store a secret for a script. That is, the script must be able to retrieve it in an unattended way. The script is running on a Linux server server.mydomain.com, which is enrolled in FreeIPA domain. The script is running under user "svc-user" which I've created on the FreeIPA just for that (so, its principal is svc-u...@mydomain.com). Additionally, I've also created a service "MYSVC" on the FreeIPA (so I now also have the principal MYSVC\server.mydomain....@mydomain.com). Finally, I did not set any password for the user "svc-user" and I've configured its shell to be /sbin/nologin. Not sure if it will make any difference. And now, with all this ready, I am trying to store my secret as admin, so that my script can retrieve it. I create a vault (I tried also standard one, but here I am showing an example with asymmetrical one, because all examples I found use it): kinit admin <Entering password for admin> ipa vault-add svc-vault --service MYSVC\server.mydomain.com --type asymmetric --public-key-file svc.pub.pem ipa vault-archive svc-vault --service MYSVC\server.mydomain.com --data <secret_data_in_base64> OK, secret is stored. And here is my vault: # ipa vault-find --services --------------- 1 vault matched --------------- Vault name: svc-vault Type: asymmetric Vault service: MYSVC\server.mydomain....@mydomain.com ---------------------------- Number of entries returned 1 ---------------------------- Finally, I generate a keytab for my script: ipa-getkeytab -p MYSVC\server.mydomain.com -k /var/kerberos/krb5/user/856500016/client.keytab OK... now I clean up with "kdestroy" and try to run my script as a user "svc-user". And the script is trying to do this: kinit MYSVC\server.mydomain.com -k -t /var/kerberos/krb5/user/856500016/client.keytab klist ipa vault-find --services ... And the problem is that it simply doesn't find the svc-vault. It does seem like it manages to get the Kerberos ticket, this is the output from klist (inside the script): Default principal: MYSVC\server.mydomain....@mydomain.com Valid starting Expires Service principal 02/27/2019 17:04:58 02/28/2019 17:04:58 krbtgt/mydomain....@mydomain.com Now... If I add the user "svc-user" as a member to my svc-vault, add the svc-user to the keytab and then use "kinit svc-user" in my script, then it seems to work. But I don't understand then the whole point of "service vault"... what's the purpose of the MYSVC/server.mydomain.com principle here actually...? And another question - can't exactly the same (with "svc-user" in keytab) work also for a standard vault, without keys...? Because it looks like it becomes exactly the same usecase as if I just interactively use the vault shared with svc-user... Thanks! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
