Had a prior employer that solved this with non-human accounts to run automatic process
that humans could sudu-su to become and make operational changes. Sysadmin setup keytabs
for those process accounts. Jobs ran. People took time off. Security was solid. The
accounts with keytabs could not login. Cron and systemd timers ran jobs.
On April 8, 2022 2:19:26 PM EDT, Francis Augusto Medeiros-Logeay via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
On 2022-04-08 10:57, Alexander Bokovoy via FreeIPA-users wrote:
> On pe, 08 huhti 2022, Francis Augusto Medeiros-Logeay via
FreeIPA-users
> wrote:
>> I've looked k5start before, and, correct me if I am wrong, but the
>> difference between using a `kinit -k -i | -t keytab` and k5start is
>> that the later takes care of the daemonization aspect, right? As I
see
>> it, both need a keytab to work. The issue for me here is that it is
a
>> bit undesirable to leave a keytab around. What I like about FreeIPA
is
>> that you can fetch the keytab from a cached credential, so that it
you
>> could fetch it, use k5start or kinit -kt, and then erase it.
>>
>> I guess there's no way to renew those tickets without a keytab,
right?
>
> Nope -- unless you store that password somewhere and run a systemd
> timer, effectively.
>
> If you store your user credentials into a keytab and just set
> KRB5_CLIENT_KTNAME, this will work too. A systemd timer could be used
> to
> replace k5start.
>
> Alternatively, gssproxy could be used for that. It already knows how
to
> handle NFS, for example, so it would work just fine. But it also
> expects
> to have a keytab in a proper place.
Thanks a lot, Alexander.
I am clueless now on how to solve this. We experienced that, on
machines
where the user uses nfsv4+kerberos to mount their home directory, what
happens is that if the user has some job that writes to some file on
his
home directory, the machine goes bananas if the ticket expires (ie, if
the user goes on vacation and doesn't log in). This is already a
problem
for a machine with one user, imagine when the machine has dozens of
users. This happened with a RHEL 8.5, and I see no remedy for this,
other than:
- storing a user keytab somewhere in his home folder, and use a
mechanism (k5start, crond, etc) to fetch new TGT's, but seems to be a
potential security risk;
- having some cron job that checks for expired credentials and kills
all
processes of that user to avoid a problem with the machine.
Would you have any idea of something out of these lines?
Best,
Francis
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure