Den 2016-06-08 14:00, skrev Alexander Bokovoy:
Make a service (ipa service-add), download a keytab with the key for
this service and use gss-proxy to provide refreshing credentials based
on the keytab to a script that runs periodically.


Hm. I like that idea, now I just need to actually make it work here :)

I have done:

ipa service-add PWDREMIND/script.host.fqdn
ipa-getkeytab -s script.host.fqdn -k /etc/gssproxy/pwdremind.keytab -p PWDREMIND/script.host.fqdn

...and I have a file /etc/gssproxy/pwdremind.keytab

I added a section to /etc/gssproxy/gssproxy.conf :

[service/PWDREMIND]
  mechs = krb5
  cred_store = keytab:/etc/gssproxy/pwdremind.keytab
  cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
  euid = 0

I guess I could run the password reminder script as another user in cron and change the euid line above accordingly. Now I guess the next step is figuring out how to tell "ldapsearch" to work with gssproxy (unless I've made some other glaring mistake already).

Regards
Eivind Olsen

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to