On ma, 25 huhti 2022, Francis Augusto Medeiros-Logeay wrote:
On 2022-04-25 11:49, Francis Augusto Medeiros-Logeay via FreeIPA-users
wrote:
On 2022-04-08 10:57, Alexander Bokovoy via FreeIPA-users wrote:
I started to see GSSPROXY, and it seems like a good alternative, as we
could use a keytab that give limited access to resources, and not the
user's keytab. Would a service keytab work here, or should I rather
create a specific user just for the purpose of mounting NFS, for
example?
I actually tested it, but it seems I had a misunderstanding. Gssproxy
helps me to be able to mount my NFSv4 shares, but the problem is that
the user can't access them without a ticket, so I am back to square
one, which is, how to get a ticket for the user, non-interactively,
after his ticket has expired, so that running jobs won't create havoc
when the user looses access to his (mounted) share.
You need to instruct gssproxy to use a client keytab that contains
user's keys.
You have to use user's keys in that keytab because you need to make sure
UID of the user has the same mapping between what the client runs and
what NFS server uses. For users it is done more or less automatically.
For services it is not because Kerberos services in IPA do not have
POSIX identities.
https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md#keytab-based-client-initiation
describes a general solution.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
