Hi folks, Just to drop in a quick comment. We were wondering how to perform Kerberos5 and/or OpenAFS authentication without typing in user passwords.
The solution is to create a keytab file (with the user's key), which the service will then use to authenticate. For example, to run "kadmin" with root/admin credentials and without typing the password, you can do kadmin -k -p root/admin (-k implies you want to use /etc/krb5.keytab to get the data from). This only works if the key for root/admin is actually found in the keytab file and you can read the keytab file (mode 0600 by default). Since most of our services run under different users, we should create /etc/<srvname>.keytab for each service and chown/chgrp it properly. The creation of the keytab file is done within kadmin; here's an example for user "domtool" (which I've added already): $ kadmin -k -p root/admin : ktadd -k /etc/domtool.keytab domtool : quit $ kinit -k -t /etc/domtool.keytab domtool $ sudo -u domtool klist Since we want to run the daemons this way, it is better to use k5start/krenew instead of kinit; those commands take care of both ticket renewal and AFS tokens. (Thanks to Cristopher Clausen for the hint). I've compiled the package from source, from Debian testing. Manual page for k5start explains the logic behind it, along with actual usage examples and the chunks relevant for /etc/init.d/ scripts. Stay nice, -doc _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
