On 05/20/2013 08:55 PM, Andrew Bartlett wrote:
> On Mon, 2013-05-20 at 20:28 -0400, David Mansfield wrote:
>> On 05/20/2013 07:08 PM, Andrew Bartlett wrote:
>>> On Mon, 2013-05-20 at 13:57 -0400, David Mansfield wrote:
>>>> Hi All:
>>>>
> It is, as long as all the services you are protecting are of the same
> privilege level.
>
>> Yes, that's what I have: the HTTP/
myhost.domain.com goes in
>> /etc/httpd/conf/krb5.keytab (owned by apache), the imap/
host.domain.com
>> goes in /etc/krb5.keytab.cyrus (owned by cyrus), the
>> smtp/
myhost.domain.com goes in /etc/postfix/krb5.keytab (owned by
>> postfix). And all of them become invalid the moment winbind changes the
>> machine password.
>
> Indeed.
>
>> I've researched a bit more and discovered that #1 is definitely a
>> winbind client changing the password issue. But I don't understand why
>> (not a kerb. guru) changing the password causes all the SPN keys
>> regenerated, but it's probably a standard thing.
>
> It is - there is no such thing as SPN keys, they all share the same key,
> that is the domain member account password that winbind is changing.
I didn't realize that all SPN principal's keys generated from the same
account basically share the same private key, so a compromised keytab
exported with just one service principal compromises the account that it
is associated to. Somehow I thought that the point of a service
principal was that it limited exposure to the service which it is used
for. That's a bummer.
>
>> So I'm left with either stopping winbind from changing the machine
>> password or figuring out a keytab distribution system... Yuk.
>
> Or pointing all the services at the same keytab. My point is that if
> this is not desired (because you want privilege separation on your
> system, quite reasonably) that you actually need to have a different
> account per service, as otherwise they are equivalent to each other.
>
Ok. Now I understand the crux of your point. If I have, e.g. two imap
instances on two hosts (say load balancing or whatever) it probably
makes more sense to create 'imap' user in AD, create two SPN from that,
one for each host, rather than create each from the machine account
associated to the host they run on - i.e. do it by service-account not
by host-account.
> Sadly kerberos is a private-key based system, not a public-key based
> system, so any service that has access to decrypt incoming tickets can
> also encrypt a new fake ticket in any name, real or imagined, including
> (say) root or a privileged user.
>
Thanks for your help. I will stew on this awhile.
David