On 2022-04-08 10:22, Sam Morris via FreeIPA-users wrote:
You need something to automate the process of obtaining a
ticket-granting-ticket every so often.
Check out kstart <
https://www.eyrie.org/~eagle/software/kstart/> for
this purpose. The user needs to run their job via k5start, and k5start
takes on the job of obtaining and renewing a TGT while the job is
running.
If you can't use kstart, something else will have to keep running
'kinit -k -i' every so often. I suggest the '-i' argument because it
uses a standard well-known keytab location; you only have to drop your
keytab at that location & make sure the user can read it, and kinit is
clever enough to figure out the principal name itself. The location is
documented in the kerberos(7) man page - look for KRB5_CLIENT_KTNAME
(or just run 'kinit -k -i' and it will spit out the location it's
looking for in the error message).
Thanks Sam,
I've looked k5start before, and, correct me if I am wrong, but the
difference between using a `kinit -k -i | -t keytab` and k5start is that
the later takes care of the daemonization aspect, right? As I see it,
both need a keytab to work. The issue for me here is that it is a bit
undesirable to leave a keytab around. What I like about FreeIPA is that
you can fetch the keytab from a cached credential, so that it you could
fetch it, use k5start or kinit -kt, and then erase it.
I guess there's no way to renew those tickets without a keytab, right?