On 2017-07-27 12:17, Darac Marjal via FreeIPA-users wrote:
> Hi all,
> I'm fairly new to FreeIPA, but I'm using it to sort out single-sign-on
> on a few computers on my small network.
> So far, I've managed to setup up automounting of krb5i-protected shares
> on my NAS. I can see that, when I log in a kerberos ticket is arranged
> and then that is used to authenticate to the NFS server.
> What I'm now wondering about is how things work with cron. I would like
> to leave some of my machines unattended, but still have them run cron
> jobs that access the NFS filesystems.
> Is this a non-problem (i.e. is cron going to be able to access my files
> without interaction, in the same way that it would on a regular system?)
> Or do I need to arrange something beforehand to allow cron access (I've
> seen various references to S4U2Proxy, to creating a "user/cron@REALM"
> user and mapping that to just "user@REALM" and also to simply running
> kinit before each job.)
> Pointers to documentation would be useful.
> For reference, I'm running FreeIPA on Fedora 25, but my client machines
> are typically Debian 9.

You don't have to resort to a cron job to request and refresh a TGT.
It's much simpler to use a keytab for your service and let Kerberos
acquire a TGT automatically. You can either place the keytab in a
special location, set the env var KRB5_CLIENT_KTNAME or use GSSProxy to
handle the keytab for you. With a client keytab, you don't have to call
kinit at all.


Christian Heimes
Senior Software Engineer, Identity Management and Platform Security

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander

Attachment: signature.asc
Description: OpenPGP digital signature

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to