On Thu, Jul 27, 2017 at 02:42:50PM +0200, Christian Heimes via FreeIPA-users wrote:
On 2017-07-27 12:17, Darac Marjal via FreeIPA-users wrote:
> Hi all,
>
> I'm fairly new to FreeIPA, but I'm using it to sort out single-sign-on
> on a few computers on my small network.
>
> So far, I've managed to setup up automounting of krb5i-protected shares
> on my NAS. I can see that, when I log in a kerberos ticket is arranged
> and then that is used to authenticate to the NFS server.
>
> What I'm now wondering about is how things work with cron. I would like
> to leave some of my machines unattended, but still have them run cron
> jobs that access the NFS filesystems.
>
> Is this a non-problem (i.e. is cron going to be able to access my files
> without interaction, in the same way that it would on a regular system?)
> Or do I need to arrange something beforehand to allow cron access (I've
> seen various references to S4U2Proxy, to creating a "user/cron@REALM"
> user and mapping that to just "user@REALM" and also to simply running
> kinit before each job.)
>
> Pointers to documentation would be useful.
>
> For reference, I'm running FreeIPA on Fedora 25, but my client machines
> are typically Debian 9.
You don't have to resort to a cron job to request and refresh a TGT.
No, but if I want my user to be able to create a cronjob which accesses
files on my kerberos-secured NFS server, then cron needs a ticket.
It's much simpler to use a keytab for your service and let
Kerberos
acquire a TGT automatically. You can either place the keytab in a
special location, set the env var KRB5_CLIENT_KTNAME or use GSSProxy to
handle the keytab for you. With a client keytab, you don't have to call
kinit at all.
OK, I'd seen references to using keytabs with cron. I'll go down that
route. Thank you.
Christian
--
Christian Heimes
Senior Software Engineer, Identity Management and Platform Security
Red Hat GmbH,
http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
--
For more information, please reread.