On Wed, 2013-05-01 at 19:16 +0000, Ondrej Valousek wrote:
Probably not the best list to ask this question, but I will try
anyway.
Can we expect to gss-proxy in RHEL-7?
The thing is that I would like to let Linux-based dhcp server to
update windows based DNS server via gss-tsig updates and hate 'chgrp
dhcpd /etc/krb5.keytab' dirty hack.
You do not need to do this.
Get a DNS/hostname principal for your dhcp server and store it's keys
in /etc/dhcp/dhcp.keytab or where more appropriate for your dhcp server
to use it.
(adjust bind ACIs as approppriate if you are switching from using
host/hostanme to DNS/hostname principals in doing so.
That said, gss-proxy will be in Fedora19, and there is a good chance it
will be in RHEL7 since the start.
But whether you can use it or not depends on whether the dhcp server
uses just GSSAPI or still does some native kerberos calls.
If the latter it should be patched first to not use krb calls.
Are you using a script that calls nsupdate ? Or something else ?
I guess sssd should use gss-proxy as well.
sssd is one of the most trusted services in the system so it doesn't
really need privilege separation.
Also sssd does not use GSSAPI for many operations so the GSS-Proxy
wouldn't help.
Simo.
--
Simo Sorce * Red Hat, Inc * New York