On 2022-04-08 10:57, Alexander Bokovoy via FreeIPA-users wrote:
On pe, 08 huhti 2022, Francis Augusto Medeiros-Logeay via
FreeIPA-users
wrote:
> I've looked k5start before, and, correct me if I am wrong,
but the
> difference between using a `kinit -k -i | -t keytab` and k5start is
> that the later takes care of the daemonization aspect, right? As I see
> it, both need a keytab to work. The issue for me here is that it is a
> bit undesirable to leave a keytab around. What I like about FreeIPA is
> that you can fetch the keytab from a cached credential, so that it you
> could fetch it, use k5start or kinit -kt, and then erase it.
>
> I guess there's no way to renew those tickets without a keytab, right?
Nope -- unless you store that password somewhere and run a systemd
timer, effectively.
If you store your user credentials into a keytab and just set
KRB5_CLIENT_KTNAME, this will work too. A systemd timer could be used
to
replace k5start.
Alternatively, gssproxy could be used for that. It already knows how to
handle NFS, for example, so it would work just fine. But it also
expects
to have a keytab in a proper place.
Thanks a lot, Alexander.
I am clueless now on how to solve this. We experienced that, on machines
where the user uses nfsv4+kerberos to mount their home directory, what
happens is that if the user has some job that writes to some file on his
home directory, the machine goes bananas if the ticket expires (ie, if
the user goes on vacation and doesn't log in). This is already a problem
for a machine with one user, imagine when the machine has dozens of
users. This happened with a RHEL 8.5, and I see no remedy for this,
other than:
- storing a user keytab somewhere in his home folder, and use a
mechanism (k5start, crond, etc) to fetch new TGT's, but seems to be a
potential security risk;
- having some cron job that checks for expired credentials and kills all
processes of that user to avoid a problem with the machine.
Would you have any idea of something out of these lines?
Best,
Francis