On pe, 08 huhti 2022, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
--
Francis Augusto Medeiros-Logeay
Oslo, Norway
On 2022-04-08 10:22, Sam Morris via FreeIPA-users wrote:
>
>You need something to automate the process of obtaining a
>ticket-granting-ticket every so often.
>
>Check out kstart <
https://www.eyrie.org/~eagle/software/kstart/> for
>this purpose. The user needs to run their job via k5start, and k5start
>takes on the job of obtaining and renewing a TGT while the job is
>running.
>
>If you can't use kstart, something else will have to keep running
>'kinit -k -i' every so often. I suggest the '-i' argument because it
>uses a standard well-known keytab location; you only have to drop your
>keytab at that location & make sure the user can read it, and kinit is
>clever enough to figure out the principal name itself. The location is
>documented in the kerberos(7) man page - look for KRB5_CLIENT_KTNAME
>(or just run 'kinit -k -i' and it will spit out the location it's
>looking for in the error message).
Thanks Sam,
I've looked k5start before, and, correct me if I am wrong, but the
difference between using a `kinit -k -i | -t keytab` and k5start is
that the later takes care of the daemonization aspect, right? As I see
it, both need a keytab to work. The issue for me here is that it is a
bit undesirable to leave a keytab around. What I like about FreeIPA is
that you can fetch the keytab from a cached credential, so that it you
could fetch it, use k5start or kinit -kt, and then erase it.
I guess there's no way to renew those tickets without a keytab, right?
Nope -- unless you store that password somewhere and run a systemd
timer, effectively.
If you store your user credentials into a keytab and just set
KRB5_CLIENT_KTNAME, this will work too. A systemd timer could be used to
replace k5start.
Alternatively, gssproxy could be used for that. It already knows how to
handle NFS, for example, so it would work just fine. But it also expects
to have a keytab in a proper place.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland