On ma, 20 helmi 2023, Charles Hedrick via FreeIPA-users wrote:
We have a site where some users want to be able to run cron jobs with
credentials so they can access files via NFS. We are currently using a
local mechanism to generate those credentials. I'm considering using
gssproxy instead. I've verified that it will work.
Is there any disadvantage to installing gssproxy on all systems, and
setting use_gss_proxy in /etc/nfs.conf? We're on Ubuntu 20.04 and
22.04.
The only issue I can see is that attempts to access files will cause
something (the server?) to check for delegation entries in LDAP. If
this only happens when credentials aren't already present, the extra
overhead should be minimal. But we have lots of calls to rpc.gss,
particularly since we expire contexts in 30 min, to deal with the
problem that removing users from a group doesn't remove their access to
files protected by the group until their NFS session credentials are
refreshed.
GSSProxy does not look at LDAP at all, it is not written to do so. What
it does is that it allows applications to request operations on behalf
of users (allow_constrained_delegation=true or
allow_constrained_delegation=true in a configuration file) and *that*
requires KDC to perform conditional delegation checks. The check is done
by KDC, not by GSSProxy, at the time when a client (GSSProxy in this
case) would request a protocol transition or constraint delegation, e.g.
to obtain a ticket to a service.
When there is a ticket already, no additional operations would be done.
If you expire tickets in 30 minutes, then at least once in those 30
minutes if you'd get a service performing acquisition of a Kerberos
ticket on behalf of the user, then KDC would get a request.
An additional consideration would be to see if you have any applications
that use Heimdal Kebreros instead of MIT Kerberos. GSSProxy is only
supported for MIT Kerberos-linked applications using GSSAPI. Heimdal has
no interposer mechanism pluggable interface, hence no way to interpose
it this way. That specifically affects Debian and Ubuntu as their Samba
builds are done against Heimdal.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland