Had a prior employer that solved this with non-human accounts to run automatic process that humans could sudu-su to become and make operational changes. Sysadmin setup keytabs for those process accounts. Jobs ran. People took time off. Security was solid. The accounts with keytabs could not login. Cron and systemd timers ran jobs.

On April 8, 2022 2:19:26 PM EDT, Francis Augusto Medeiros-Logeay via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:


On 2022-04-08 10:57, Alexander Bokovoy via FreeIPA-users wrote:
On pe, 08 huhti 2022, Francis Augusto Medeiros-Logeay via FreeIPA-users 
wrote:

I've looked k5start before, and, correct me if I am wrong, but the 
difference between using a `kinit -k -i | -t keytab` and k5start is 
that the later takes care of the daemonization aspect, right? As I see 
it, both need a keytab to work. The issue for me here is that it is a 
bit undesirable to leave a keytab around. What I like about FreeIPA is 
that you can fetch the keytab from a cached credential, so that it you 
could fetch it, use k5start or kinit -kt, and then erase it.

I guess there's no way to renew those tickets without a keytab, right?

Nope -- unless you store that password somewhere and run a systemd
timer, effectively.

If you store your user credentials into a keytab and just set
KRB5_CLIENT_KTNAME, this will work too. A systemd timer could be used 
to
replace k5start.

Alternatively, gssproxy could be used for that. It already knows how to
handle NFS, for example, so it would work just fine. But it also 
expects
to have a keytab in a proper place.

Thanks a lot, Alexander.

I am clueless now on how to solve this. We experienced that, on machines 
where the user uses nfsv4+kerberos to mount their home directory, what 
happens is that if the user has some job that writes to some file on his 
home directory, the machine goes bananas if the ticket expires (ie, if 
the user goes on vacation and doesn't log in). This is already a problem 
for a machine with one user, imagine when the machine has dozens of 
users. This happened with a RHEL 8.5, and I see no remedy for this, 
other than:

- storing a user keytab somewhere in his home folder, and use a 
mechanism (k5start, crond, etc) to fetch new TGT's, but seems to be a 
potential security risk;
- having some cron job that checks for expired credentials and kills all 
processes of that user to avoid a problem with the machine.

Would you have any idea of something out of these lines?

Best,

Francis
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Computers amplify human error
Super computers are really cool