On Thu, Jul 27, 2017 at 02:42:50PM +0200, Christian Heimes via FreeIPA-users wrote:
On 2017-07-27 12:17, Darac Marjal via FreeIPA-users wrote:Hi all,I'm fairly new to FreeIPA, but I'm using it to sort out single-sign-on on a few computers on my small network. So far, I've managed to setup up automounting of krb5i-protected shares on my NAS. I can see that, when I log in a kerberos ticket is arranged and then that is used to authenticate to the NFS server. What I'm now wondering about is how things work with cron. I would like to leave some of my machines unattended, but still have them run cron jobs that access the NFS filesystems. Is this a non-problem (i.e. is cron going to be able to access my files without interaction, in the same way that it would on a regular system?) Or do I need to arrange something beforehand to allow cron access (I've seen various references to S4U2Proxy, to creating a "user/cron@REALM" user and mapping that to just "user@REALM" and also to simply running kinit before each job.) Pointers to documentation would be useful. For reference, I'm running FreeIPA on Fedora 25, but my client machines are typically Debian 9.You don't have to resort to a cron job to request and refresh a TGT.
No, but if I want my user to be able to create a cronjob which accesses files on my kerberos-secured NFS server, then cron needs a ticket.
It's much simpler to use a keytab for your service and let Kerberos acquire a TGT automatically. You can either place the keytab in a special location, set the env var KRB5_CLIENT_KTNAME or use GSSProxy to handle the keytab for you. With a client keytab, you don't have to call kinit at all.
OK, I'd seen references to using keytabs with cron. I'll go down that route. Thank you.
Christian -- Christian Heimes Senior Software Engineer, Identity Management and Platform Security Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
-- For more information, please reread.
signature.asc
Description: PGP signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org