#1041 [RFE] Support Automatic Renewing of Kerberos Host Keytabs
Closed: Fixed None Opened 8 years ago by myllynen.

Often with AD a Kerberos host keytab is needed to bind with SASL/GSSAPI for LDAP operations. On many sites security policies do not allow never-expiring passwords so the keytab needs to renewed eventually, currently requiring manual steps to obtain a new keytab.

SSSD should support automated renewal of Kerberos host keytabs as Samba/Winbind does.


I suggest putting this into deferred or close it, since it is being planned as an independent project. This project should be completed within a year.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0

Fields changed

blockedby: =>
blocking: =>
milestone: SSSD 1.9.0 => SSSD Kerberos improvements

Fields changed

rhbz: => 0

Fields changed

feature_milestone: =>
proposed_priority: => Core

Fields changed

rhbz: 0 => todo
summary: RFE: Support Automatic Renewing of Kerberos Host Keytabs => [RFE] Support Automatic Renewing of Kerberos Host Keytabs

Moving all the features planned for 1.10 release into 1.10 beta.

milestone: SSSD Kerberos Improvements Feature => SSSD 1.10 beta

Fields changed

priority: major => critical

Couple notes though based on the discussion we had about Ondrej's project

1. The code of the project should be integrated into the SSSD code base
2. Instead of threads it should follow the same tevent style as everything else
3. It should work against MIT KDC, IPA or AD. To do that it should use kerberos protocol rather than an LDAP extended operation.

Please add if I missed something.

Fields changed

cc: => okos

Additional comments based on my notes:

  1. Integrate the code into the Kerberos provider
  2. Use LDB as a storage
  3. Get time of the last PWD change from the server. If not possible assume it was just created and start tracking it following the local policy.
  4. If there is a central policy like in AD case the rotation must happen following that policy.

One other use case came up on the list: https://www.redhat.com/archives/freeipa-devel/2012-September/msg00279.html

It should be possible to point SSSD to a keytab that is for the service and not for the host.
SSSD should be able to rotate it even if it is not configured for other uses. Effectively this means that this functionality should be treated as a separately installable RPM.

Also when the keytab is rotated we should probably restart GSS proxy if it is configured and running.

Fields changed

owner: somebody => okos
status: new => assigned

Fields changed

design: =>
design_review: => 0
fedora_test_page: =>
selected: => May

Fields changed

priority: critical => major

Also needs to keep the previous keytabs

Fields changed

review: => 1

Fields changed

milestone: SSSD 1.10 beta => SSSD 1.11 beta

Fields changed

owner: okos => somebody
status: assigned => new

Fields changed

changelog: =>
milestone: SSSD 1.12 beta => Interim Bucket

Fields changed

milestone: Interim Bucket => SSSD 1.12 beta

Fields changed

milestone: SSSD 1.12 beta => SSSD 1.13 beta

Fields changed

mark: => 0

Still makes sense, but still out of scope..

milestone: SSSD 1.13 beta => SSSD 1.13 backlog

In ticket #2220, Sumit proposed using msktutil for that:

msktutil ​https://code.google.com/p/msktutil/ is a tool for manage keytabs
and computer accounts from AD. We might want to integrate it for keytab renewals
like we use nsupdate for dynamic DNS updates.

Mass-moving tickets not planned for the 1.13 release to 1.14

milestone: SSSD 1.13 backlog => SSSD 1.14 beta

Looks like development is currently happening on sourceforge http://sourceforge.net/projects/msktutil/ .

I created a copr repo with a recent version of msktutil at https://copr.fedoraproject.org/coprs/sbose/msktutil/ .

sensitive: => 0

Fields changed

cc: okos =>
milestone: SSSD 1.14 beta => SSSD 1.13.4
owner: somebody => sbose

Fields changed

patch: 0 => 1

Metadata Update from @myllynen:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.13.4

2 years ago

Login to comment on this ticket.

Metadata