Re: NFS4 and Kerberos: A-records for same IP inflate the need for service principals

To: debian-edu@lists.debian.org
Subject: Re: NFS4 and Kerberos: A-records for same IP inflate the need for service principals
From: Oded Naveh <skilinux@gmail.com>
Date: Thu, 6 Jan 2011 00:56:21 +0200
Message-id: <[🔎] 201101060056.21592.skiliux@gmail.com>
In-reply-to: <[🔎] 20110105195000.GA12600@flashgordon>
References: <[🔎] 20110105175842.GA4276@flashgordon> <[🔎] 20110105181024.GA24784@login1.uio.no> <[🔎] 20110105195000.GA12600@flashgordon>

On Wednesday 05 January 2011 21:50:00 Andreas B. Mundt wrote:
> On Wed, Jan 05, 2011 at 07:10:24PM +0100, Petter Reinholdtsen wrote:
> [...]
>
> > > I am not an expert regarding that stuff and I don't know if there
> > > are other ways to achieve the desired. However, it looks as with the
> > > current setup we need service principals for all host aliases.
> >
> > That isn't too bad, is it?  It can be added automatically at install
> > time, right?
>
> Yes, the creation of the principals is done during installation. The
> script kerberos-kdc-init would contain something like:
>
>     for name in tjener.intern kerberos.intern ldap.intern domain.intern
> postoffice.intern syslog.intern; do
# How about proxy?

>	## create machine principals and add them to the keytab:
>         kadmin.local -q "addprinc -randkey host/$name"
>         kadmin.local -q "ktadd host/$name"
>         ## create service principals and add them to the keytab:
>         kadmin.local -q "addprinc -randkey nfs/$name"
>         kadmin.local -q "ktadd nfs/$name"
>         kadmin.local -q "addprinc -randkey cifs/$name"
>         kadmin.local -q "ktadd cifs/$name"
>         kadmin.local -q "addprinc -randkey ldap/$name"
>         kadmin.local -q "ktadd -k /etc/krb5.keytab.ldap ldap/$name"
>         kadmin.local -q "addprinc -randkey imap/$name"
>         kadmin.local -q "ktadd -k /etc/krb5.keytab.imap imap/$name"
>         kadmin.local -q "addprinc -randkey smtp/$name"
>         kadmin.local -q "ktadd -k /etc/krb5.keytab.smtp smtp/$name"
>     done
>     chown dovecot:dovecot /etc/krb5.keytab.imap
>     chown openldap:openldap /etc/krb5.keytab.ldap
>     chown Debian-exim:Debian-exim /etc/krb5.keytab.smtp
>

Well, I'm a complete idiot to Kerberos but it seems to me this is adding all 
services to each name while there is actually correspondence between names 
and individual services. That should make order not mess.
Whatever the sacrifice, dropping support for distributing services seems a 
no-option to me.

> However, I don't know if working with that mess of principals is a
> good idea in the end. From a first look it seems like making an
> already complicated and hard-to-debug-thing even more confusing, which
Does that spell Kerberos or Debian-Edu ;)

> also applies to moving individual services to other machines.
>
> Best regards,
>
>      Andi

Good job Andi, Odd.

Reply to:

References:
- NFS4 and Kerberos: A-records for same IP inflate the need for service principals
  - From: "Andreas B. Mundt" <andi.mundt@web.de>
- Re: NFS4 and Kerberos: A-records for same IP inflate the need for service principals
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: NFS4 and Kerberos: A-records for same IP inflate the need for service principals
  - From: "Andreas B. Mundt" <andi.mundt@web.de>

Prev by Date: Re: NFS4 and Kerberos: A-records for same IP inflate the need for service principals
Next by Date: Re: NFS4 and Kerberos: A-records for same IP inflate the need for service principals
Previous by thread: Re: NFS4 and Kerberos: A-records for same IP inflate the need for service principals
Next by thread: Re: NFS4 and Kerberos: A-records for same IP inflate the need for service principals
Index(es):
- Date
- Thread