Hi Harald, thank you for your details.
We use MIT kerberos in FreeIPA. The kinit doesnt have a --afslog option. > We run our web server authenticated from a keytab. The keytab contains > > # /usr/heimdal/sbin/ktutil --keytab=/etc/krb5.keytab.web-daemon list > Vno Type Principal > 0 des3-cbc-sha1 web-daemon/[email protected] > 0 aes128-cts-hmac-sha1-96 web-daemon/[email protected] > 0 arcfour-hmac-md5 web-daemon/[email protected] > > Then the webserver is started with heimdal kinit (which does all the > pagsh and renew magic) with that keytab: > > # ps auxgwww | grep kinit > root 31751 0.0 0.0 39880 2100 ? S Jul04 0:04 > /usr/heimdal/bin/kinit --no-forward --no-renew > --keytab=/etc/krb5.keytab.web-daemon --afslog > web-daemon/[email protected] /usr/sbin/httpd -DNO_DETACH -D > DEFAULT_VHOST -D SSL_DEFAULT_VHOST -D INFO -D LANGUAGE -D SSL -D CACHE -D > MEM_CACHE -D DAV -D STATUS -D AUTH_DIGEST -D PROXY -D USERDIR -D REWRITE -k > start > > The web-daemon/[email protected] principal maps to this PTS > identity (due to historical reasons the "/" is replaced with a "." in > the OpenAFS pts to pricipal naming mapping, there are folks on this > list who happen to know exactly why) > > $ pts exa web-daemon.scat.pdc.kth.se -c pdc.kth.se > Name: web-daemon.scat.pdc.kth.se, id: 65531, owner: system:administrators, > creator: haba.admin, > membership: 4, flags: S----, group quota: 20. > > Then all web-daemons.x.y.z are member in this group: > > $ pts mem web-daemons -c pdc.kth.se > Members of web-daemons (id: -32225) are: > web-daemon.wrasse.pdc.kth.se > web-daemon.schelly.pdc.kth.se > web-daemon.scat.pdc.kth.se > > Then you give web-daemons the appropriate permissions in the file system. > > Harald.
smime.p7s
Description: S/MIME Cryptographic Signature
