Had a prior employer that solved this with non-human accounts to run automatic
process that humans could sudu-su to become and make operational changes.
Sysadmin setup keytabs for those process accounts. Jobs ran. People took time
off. Security was solid. The accounts with keytabs could not login. Cron and
systemd timers ran jobs.
On April 8, 2022 2:19:26 PM EDT, Francis Augusto Medeiros-Logeay via
FreeIPA-users <[email protected]> wrote:
>
>
>On 2022-04-08 10:57, Alexander Bokovoy via FreeIPA-users wrote:
>> On pe, 08 huhti 2022, Francis Augusto Medeiros-Logeay via
>FreeIPA-users
>> wrote:
>
>>> I've looked k5start before, and, correct me if I am wrong, but the
>>> difference between using a `kinit -k -i | -t keytab` and k5start is
>>> that the later takes care of the daemonization aspect, right? As I
>see
>>> it, both need a keytab to work. The issue for me here is that it is
>a
>>> bit undesirable to leave a keytab around. What I like about FreeIPA
>is
>>> that you can fetch the keytab from a cached credential, so that it
>you
>>> could fetch it, use k5start or kinit -kt, and then erase it.
>>>
>>> I guess there's no way to renew those tickets without a keytab,
>right?
>>
>> Nope -- unless you store that password somewhere and run a systemd
>> timer, effectively.
>>
>> If you store your user credentials into a keytab and just set
>> KRB5_CLIENT_KTNAME, this will work too. A systemd timer could be used
>
>> to
>> replace k5start.
>>
>> Alternatively, gssproxy could be used for that. It already knows how
>to
>> handle NFS, for example, so it would work just fine. But it also
>> expects
>> to have a keytab in a proper place.
>
>Thanks a lot, Alexander.
>
>I am clueless now on how to solve this. We experienced that, on
>machines
>where the user uses nfsv4+kerberos to mount their home directory, what
>happens is that if the user has some job that writes to some file on
>his
>home directory, the machine goes bananas if the ticket expires (ie, if
>the user goes on vacation and doesn't log in). This is already a
>problem
>for a machine with one user, imagine when the machine has dozens of
>users. This happened with a RHEL 8.5, and I see no remedy for this,
>other than:
>
>- storing a user keytab somewhere in his home folder, and use a
>mechanism (k5start, crond, etc) to fetch new TGT's, but seems to be a
>potential security risk;
>- having some cron job that checks for expired credentials and kills
>all
>processes of that user to avoid a problem with the machine.
>
>Would you have any idea of something out of these lines?
>
>Best,
>
>Francis
>_______________________________________________
>FreeIPA-users mailing list -- [email protected]
>To unsubscribe send an email to
>[email protected]
>Fedora Code of Conduct:
>https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>List Archives:
>https://lists.fedorahosted.org/archives/list/[email protected]
>Do not reply to spam on the list, report it:
>https://pagure.io/fedora-infrastructure
--
Computers amplify human error
Super computers are really cool
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
