[Freeipa-users] Re: Cronjob requesting krb tickets

Thu, 27 Jul 2017 05:56:53 -0700 

On Thu, Jul 27, 2017 at 02:42:50PM +0200, Christian Heimes via FreeIPA-users 
wrote:

On 2017-07-27 12:17, Darac Marjal via FreeIPA-users wrote:

Hi all,

I'm fairly new to FreeIPA, but I'm using it to sort out single-sign-on
on a few computers on my small network.

So far, I've managed to setup up automounting of krb5i-protected shares
on my NAS. I can see that, when I log in a kerberos ticket is arranged
and then that is used to authenticate to the NFS server.

What I'm now wondering about is how things work with cron. I would like
to leave some of my machines unattended, but still have them run cron
jobs that access the NFS filesystems.

Is this a non-problem (i.e. is cron going to be able to access my files
without interaction, in the same way that it would on a regular system?)
Or do I need to arrange something beforehand to allow cron access (I've
seen various references to S4U2Proxy, to creating a "user/cron@REALM"
user and mapping that to just "user@REALM" and also to simply running
kinit before each job.)

Pointers to documentation would be useful.

For reference, I'm running FreeIPA on Fedora 25, but my client machines
are typically Debian 9.


You don't have to resort to a cron job to request and refresh a TGT.


No, but if I want my user to be able to create a cronjob which accesses
files on my kerberos-secured NFS server, then cron needs a ticket.


It's much simpler to use a keytab for your service and let Kerberos
acquire a TGT automatically. You can either place the keytab in a
special location, set the env var KRB5_CLIENT_KTNAME or use GSSProxy to
handle the keytab for you. With a client keytab, you don't have to call
kinit at all.


OK, I'd seen references to using keytabs with cron. I'll go down that
route. Thank you.



Christian

--
Christian Heimes
Senior Software Engineer, Identity Management and Platform Security

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander







_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org



--
For more information, please reread.

Attachment: signature.asc
Description: PGP signature

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to