On pe, 08 huhti 2022, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
--
Francis Augusto Medeiros-Logeay
Oslo, Norway
On 2022-04-08 10:22, Sam Morris via FreeIPA-users wrote:
You need something to automate the process of obtaining a
ticket-granting-ticket every so often.
Check out kstart <https://www.eyrie.org/~eagle/software/kstart/> for
this purpose. The user needs to run their job via k5start, and k5start
takes on the job of obtaining and renewing a TGT while the job is
running.
If you can't use kstart, something else will have to keep running
'kinit -k -i' every so often. I suggest the '-i' argument because it
uses a standard well-known keytab location; you only have to drop your
keytab at that location & make sure the user can read it, and kinit is
clever enough to figure out the principal name itself. The location is
documented in the kerberos(7) man page - look for KRB5_CLIENT_KTNAME
(or just run 'kinit -k -i' and it will spit out the location it's
looking for in the error message).
Thanks Sam,
I've looked k5start before, and, correct me if I am wrong, but the
difference between using a `kinit -k -i | -t keytab` and k5start is
that the later takes care of the daemonization aspect, right? As I see
it, both need a keytab to work. The issue for me here is that it is a
bit undesirable to leave a keytab around. What I like about FreeIPA is
that you can fetch the keytab from a cached credential, so that it you
could fetch it, use k5start or kinit -kt, and then erase it.
I guess there's no way to renew those tickets without a keytab, right?
Nope -- unless you store that password somewhere and run a systemd
timer, effectively.
If you store your user credentials into a keytab and just set
KRB5_CLIENT_KTNAME, this will work too. A systemd timer could be used to
replace k5start.
Alternatively, gssproxy could be used for that. It already knows how to
handle NFS, for example, so it would work just fine. But it also expects
to have a keytab in a proper place.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
