On ma, 25 huhti 2022, Francis Augusto Medeiros-Logeay wrote:
On 2022-04-25 11:49, Francis Augusto Medeiros-Logeay via FreeIPA-users
wrote:
>On 2022-04-08 10:57, Alexander Bokovoy via FreeIPA-users wrote:
>
>I started to see GSSPROXY, and it seems like a good alternative, as we
>could use a keytab that give limited access to resources, and not the
>user's keytab. Would a service keytab work here, or should I rather
>create a specific user just for the purpose of mounting NFS, for
>example?
I actually tested it, but it seems I had a misunderstanding. Gssproxy
helps me to be able to mount my NFSv4 shares, but the problem is that
the user can't access them without a ticket, so I am back to square
one, which is, how to get a ticket for the user, non-interactively,
after his ticket has expired, so that running jobs won't create havoc
when the user looses access to his (mounted) share.
You need to instruct gssproxy to use a client keytab that contains
user's keys.
You have to use user's keys in that keytab because you need to make sure
UID of the user has the same mapping between what the client runs and
what NFS server uses. For users it is done more or less automatically.
For services it is not because Kerberos services in IPA do not have
POSIX identities.
https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md#keytab-based-cli...
describes a general solution.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland