Thanks for the detailed info, I'll give it a shot! Joel.
-----Original Message----- From: Brian Candler [mailto:[email protected]] Sent: January-30-11 2:13 AM To: Carter, Joel Cc: [email protected] Subject: Re: Linux system account ticket lifetime On Fri, Jan 28, 2011 at 03:48:50PM -0800, Carter, Joel wrote: > I have a RHEL5 machine that I want to use Kerberos tickets to access > cifs shares on my AD domain. I want this ticket to be valid all the time > (and thus able to mount using it any time) so that I don't have to go > back to the old way of passing usernames and passwords on the command > line or in a file. I effectively do this for LDAP - i.e. nss_ldap uses kerberos to authenticate and encrypt the system LDAP queries. What I do is use the key in the system keytab, and in a cronjob get a ticket for host/foo.example.com. Then the ldap client is configured to use this ticket cache. --- /etc/cron.hourly/kerberos --- #!/bin/sh /usr/bin/kinit -k host/`hostname` -c /tmp/krb5cc_host --- to test from command line --- # KRB5CCNAME=/tmp/krb5cc_host ldapsearch --- /etc/ldap.conf --- krb5_ccname /tmp/krb5cc_host use_sasl on rootuse_sasl on base dc=foo,dc=example,dc=com uri ldap://ldap.foo.example.com ldap_version 3 sasl_secprops minssf=56 nss_initgroups_ignoreusers backup,bin,bind,daemon,games,gnats,irc,libuuid,list,lp,mail,man,news,nsl cd,ntp,openldap,proxy,root,sshd,sync,sys,syslog,uucp,www-data The LDAP server is configured to require kerberos, and permit read-only access to any authenticated user (which includes host/xxx principals): ldapmodify -Y EXTERNAL -H ldapi:/// <<EOS dn: cn=config replace: olcSaslSecProps olcSaslSecProps: noanonymous,noplain,minssf=56 dn: olcDatabase={1}hdb,cn=config replace: olcAccess olcAccess: {0}to * by dn.regex="^uid=([^@,]+)/admin,cn=gssapi,cn=auth$" manage by users read - replace: olcRequires olcRequires: SASL EOS Note that both the system keytab and /tmp/krb5cc_host are only readable by root. As it happens, nscd also runs as root, so that's not a problem. If I wanted it to run nscd as a different user, then in the cronjob I'd copy the ticket cache to another file and change its ownership. umask 077 cp /tmp/krb5cc_host /tmp/krb5cc_nscd chown nscd /tmp/krb5cc_nscd The advantage of this approach is that it leverages the kerberos infrastructure to protect LDAP, eliminating the need for TLS and certificates. I'm not a Windows user, but I imagine you could adapt it for CIFS access too. If necessary, you could have a separate keytab with a "real" user principal's credentials in it, if you can't persuade your CIFS server to accept a host/xxx principal as an authorized user. The point is you can convert the keytab into a ticket cache using a cronjob. HTH, Brian. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
