Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add checker for service keytabs #175

Closed
tiran opened this issue Dec 16, 2020 · 0 comments · Fixed by #289
Closed

Add checker for service keytabs #175

tiran opened this issue Dec 16, 2020 · 0 comments · Fixed by #289
Assignees
@rcritten

Comments

@tiran
Copy link
Member

tiran commented Dec 16, 2020

Please include checkers for service keytabs to verify that keytabs and KRB5 configuration is working correctly. For example we just had a case of a broken config snippet that could not be read by dirsrv user.

Keytabs

  • HTTP_KEYTAB
  • DS_KEYTAB
  • IPA_DNSKEYSYNCD_KEYTAB (optional)
  • IPA_ODS_EXPORTER_KEYTAB (optional)
  • NAMED_KEYTAB (optional)

Each checker should be executed with the effective uid and gid of the service. You could use runuser:

runuser -u dirsrv -- kinit -c MEMORY: -kt /etc/dirsrv/ds.keytab ldap/HOSTNAME@REALM
@rcritten rcritten self-assigned this Mar 29, 2023
rcritten added a commit to rcritten/freeipa-healthcheck that referenced this issue Mar 29, 2023
@rcritten
Validate service keytabs other than just /etc/krb5.keytab
10f200f 
There are quite a few other keytabs in use in IPA other than
just the host keytab. Validate that kinit in that keytab
works if the service is configured.

Fixes: freeipa#175

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
@rcritten rcritten mentioned this issue Mar 29, 2023
Merged
rcritten added a commit to rcritten/freeipa-healthcheck that referenced this issue Apr 28, 2023
@rcritten
Validate service keytabs other than just /etc/krb5.keytab
ab9964f 
There are quite a few other keytabs in use in IPA other than
just the host keytab. Validate that kinit in that keytab
works if the service is configured.

Fixes: freeipa#175

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten added a commit to rcritten/freeipa-healthcheck that referenced this issue Oct 10, 2023
@rcritten
Validate service keytabs other than just /etc/krb5.keytab
e5feb9b 
There are quite a few other keytabs in use in IPA other than
just the host keytab. Validate that kinit in that keytab
works if the service is configured.

Fixes: freeipa#175

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten added a commit to rcritten/freeipa-healthcheck that referenced this issue Oct 13, 2023
@rcritten
Validate service keytabs other than just /etc/krb5.keytab
3481426 
There are quite a few other keytabs in use in IPA other than
just the host keytab. Validate that kinit in that keytab
works if the service is configured.

Fixes: freeipa#175

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten added a commit to rcritten/freeipa-healthcheck that referenced this issue Oct 16, 2023
@rcritten
Validate service keytabs other than just /etc/krb5.keytab
2d446c5 
There are quite a few other keytabs in use in IPA other than
just the host keytab. Validate that kinit in that keytab
works if the service is configured.

Fixes: freeipa#175

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
rcritten added a commit that referenced this issue Oct 16, 2023
@rcritten
Validate service keytabs other than just /etc/krb5.keytab
e69589d 
There are quite a few other keytabs in use in IPA other than
just the host keytab. Validate that kinit in that keytab
works if the service is configured.

Fixes: #175

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rcritten rcritten

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Validate service keytabs other than just /etc/krb5.keytab rcritten/freeipa-healthcheck
2 participants
@tiran @rcritten