Both DNS and Kerberos are configured as part of the initial client configuration. This is required because these are the two services that bring the machine within the IdM domain and allow it to identify the IdM server it will connect with. After the initial configuration, IdM has tools to manage both of these services in response to changes in the domain services, changes to the IT environment, or changes on the machines themselves which affect Kerberos, certificate, and DNS services.
This chapter describes how to manage identity services that relate directly to the client machine:
12.1. About Hosts, Services, and Machine Identity and Authentication
The basic function of an enrollment process is to create a host
entry for the client machine in the IdM directory. This host entry is used to establish relationships between other hosts and even services within the domain (as described in Chapter 1, Introduction to Red Hat Identity Management
). These relationships are part of delegating
authorization and control to hosts within the domain.
A host entry contains all of the information about the client within IdM:
Service entries associated with the host
The host and service principal
Access control rules
Machine information, such as its physical location and operating system
Some services that run on a host can also belong to the IdM domain. Any service that can store a Kerberos principal or an SSL certificate (or both) can be configured as an IdM service. Adding a service to the IdM domain allows the service to request an SSL certificate or keytab from the domain. (Only the public key for the certificate is stored in the service record. The private key is local to the service.)
An IdM domain establishes a commonality between machines, with common identity information, common policies, and shared services. Any machine which belongs to a domain functions as a client of the domain, which means it uses the services that the domain provides. An IdM domain provides three main services specifically for machines:
Like users, machines are an identity that is managed by IdM. Client machines use DNS to identify IdM servers, services, and domain members. These are, like user identities, stored in the 389 Directory Server instance for the IdM server. Like users, machines can be authenticated to the domain using Kerberos or certificates.
From the machine perspective, there are several tasks that can be performed that access these domain services:
Joining the DNS domain (machine enrollment)
Managing DNS entries and zones
Managing machine authentication
Authentication in IdM includes machines as well as users. Machine authentication is required for the IdM server to trust the machine and to accept IdM connections from the client software installed on that machine. After authenticating the client, the IdM server can respond to its requests. IdM supports three different approaches to machine authentication:
SSH keys. The SSH public key for the host is created and uploaded to the host entry. From there, the System Security Services Daemon (SSSD) uses IdM as an identity provider and can work in conjunction with OpenSSH and other services to reference the public keys located centrally in Identity Management. This is described in Section 12.5, “Managing Public SSH Keys for Hosts”
Key tables (or keytabs
, a symmetric key resembling to some extent a user password) and machine certificates. Kerberos tickets are generated as part of the Kerberos services and policies defined by the server. Initially granting a Kerberos ticket, renewing the Kerberos credentials, and even destroying the Kerberos session are all handled by the IdM services. Managing Kerberos is covered in Chapter 29, Managing the Kerberos Domain
Machine certificates. In this case, the machine uses an SSL certificate that is issued by the IdM server's certificate authority and then stored in IdM's Directory Server. The certificate is then sent to the machine to present when it authenticates to the server. On the client, certificates are managed by a service called certmonger.