Streamlining host principal keytab provisioning?
Simon Wilkinson
simon at sxw.org.uk
Tue Apr 24 11:34:30 EDT 2012
On 24 Apr 2012, at 14:06, Jeff Blaine <jblaine at kickflop.net> wrote:
> How are people provisioning host principal keytabs in
> large quantities? I've never really seen anyone discuss
> this. It's not 1988 anymore ;)
I built a system to do this for my former employer, and presented on it at the 2005 Best Practices Workshop. Slides are at http://www.dice.inf.ed.ac.uk/publications/AFSWorkshop-2005/AFSWorkshop.pdf
Essentially, we allowed any system administrator to register a principal of the form hostclient/<machine> and then allowed that principal to register any service principal of the form <service>/<machine>. These rules are enforced by using kadmind's ACLs.
We were still using this when I left at the beginning of the year. At that point we were considering using wallet, rather than kadmin to handle to access control, and to restrict the set of service principals that can be created for a machine to the list of services in the configuration database. We had also considered various ways of further automating the creation of the initial hostclient principal, but none of these appeared cost effective for us, given provisioning of new machines generally involved console access anyway.
Hope that helps!
Simon.
More information about the Kerberos
mailing list