Den 2016-06-08 14:00, skrev Alexander Bokovoy:
Make a service (ipa service-add), download a keytab with the key for
this service and use gss-proxy to provide refreshing credentials based
on the keytab to a script that runs periodically.

Hm. I like that idea, now I just need to actually make it work here :)

I have done:

ipa service-add PWDREMIND/
ipa-getkeytab -s -k /etc/gssproxy/pwdremind.keytab -p PWDREMIND/

...and I have a file /etc/gssproxy/pwdremind.keytab

I added a section to /etc/gssproxy/gssproxy.conf :

  mechs = krb5
  cred_store = keytab:/etc/gssproxy/pwdremind.keytab
  cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
  euid = 0

I guess I could run the password reminder script as another user in cron and change the euid line above accordingly. Now I guess the next step is figuring out how to tell "ldapsearch" to work with gssproxy (unless I've made some other glaring mistake already).

Eivind Olsen

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to