On 2017-07-27 12:17, Darac Marjal via FreeIPA-users wrote: > Hi all, > > I'm fairly new to FreeIPA, but I'm using it to sort out single-sign-on > on a few computers on my small network. > > So far, I've managed to setup up automounting of krb5i-protected shares > on my NAS. I can see that, when I log in a kerberos ticket is arranged > and then that is used to authenticate to the NFS server. > > What I'm now wondering about is how things work with cron. I would like > to leave some of my machines unattended, but still have them run cron > jobs that access the NFS filesystems. > > Is this a non-problem (i.e. is cron going to be able to access my files > without interaction, in the same way that it would on a regular system?) > Or do I need to arrange something beforehand to allow cron access (I've > seen various references to S4U2Proxy, to creating a "user/cron@REALM" > user and mapping that to just "user@REALM" and also to simply running > kinit before each job.) > > Pointers to documentation would be useful. > > For reference, I'm running FreeIPA on Fedora 25, but my client machines > are typically Debian 9. You don't have to resort to a cron job to request and refresh a TGT.

It's much simpler to use a keytab for your service and let Kerberos acquire a TGT automatically. You can either place the keytab in a special location, set the env var KRB5_CLIENT_KTNAME or use GSSProxy to handle the keytab for you. With a client keytab, you don't have to call kinit at all.

Christian -- Christian Heimes Senior Software Engineer, Identity Management and Platform Security Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander

_______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org

>> It's much simpler to use a keytab for your service and let Kerberos >> acquire a TGT automatically. You can either place the keytab in a >> special location, set the env var KRB5_CLIENT_KTNAME or use GSSProxy to >> handle the keytab for you. With a client keytab, you don't have to call >> kinit at all. > > OK, I'd seen references to using keytabs with cron. I'll go down that > route. Thank you. I've had a similar situation recently and found that GSSProxy works nicely for this purpose. Since I found documentation to be a little scattered: GSSProxy in its (ipa-)default configuration (on CentOS) looks for client keytabs in '/var/lib/gssproxy/clients/$EUID.keytab'. Then, whenever a user accesses a kerberized NFS mount, GSSProxy 'automagically' gets a ticket and saves that in '/var/lib/gssproxy/clients/krb5cc_$EUID'. All while the keytab and cache are both inaccessible to the user.

So in the simplest case: # kinit $user # ipa-getkeytab -p $user \ -k /var/lib/gssproxy/clients/$(id -u $user).keytab .. and then just make sure gssproxy.service is started and the script runs as that user but don't bother with tickets. I could not get this to work for system users, i.e. service principals of the form 'apache/$hostname@$REALM', though. They are able to access the share but I couldn't figure out how to properly map the username to enable write access aswell.