Open Thulium-Drake opened 9 months ago
martinpitt
commented
8 months ago Technically you can -- this is defined in cockpit-certificate-helper, see cmd_ipa_request(). I.e. if you create /etc/cockpit/krb5.config yourself, then it'll use that principal.
Thulium-Drake
commented
7 months ago Thanks for the reply! I took a look at the code you mentioned:
Isn't the kerberos principal hardcoded here? I don't see a reference to the config file you mention in this file. I can see it will handle all interactions with the IPA server in order to set up the principal and certificate. But I don't see a means to configure (or overwrite) the service name used.
EDIT: Also, does this mean that cockpit will dynamically pick up the acceptorname from the keytab? That'd be really cool :-)
martinpitt
commented
7 months ago Isn't the kerberos principal hardcoded here?
Yes, but there is a check which won't create the keytab if it's already present.
I don't see a reference to the config file you mention in this file.
It's a bit indirect:
COCKPIT_CONFIG="@sysconfdir@/cockpit"
local KEYTAB="${COCKPIT_CONFIG}/krb5.keytab"and @sysconfdir@ gets filled in by autoconf from ./configure --sysconfdir, i.e. pretty much always /etc in standard distro packages.
Page:
Hi there!
I'd really like to be able to use the HTTP service principal for the actual webserver on a system and not need to share the keytab between the services. Would it be possible to make the Kerberos Acceptor name configurable, such as Apache does as well? (https://github.com/gssapi/mod_auth_gssapi?tab=readme-ov-file#gssapiacceptorname)
I'd suggest a default (if you wish to change it) of COCKPIT/host.example.com@EXAMPLE.COM
Thanks!