[32629] in Kerberos
Re: Question on k5start daemon-related example in k5start manual
daemon@ATHENA.MIT.EDU (Russ Allbery)
Thu Sep 2 20:57:10 2010
From: Russ Allbery <rra@stanford.edu>
To: Holger Rauch <holger.rauch@empic.de>
In-Reply-To: <20100902123055.GA4413@heitec.de> (Holger Rauch's message of
"Thu, 2 Sep 2010 14:30:55 +0200")
Date: Thu, 02 Sep 2010 17:57:02 -0700
Message-ID: <87r5hbfxup.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Holger Rauch <holger.rauch@empic.de> writes:
> thanks a lot for your detailed explanation. What I forgot to mention:
> - I initially log in to the box (NFSv4 client) via ssh, which causes
> the following
>
> *) Kerberos tickets are obtained
> *) the home dir is mounted with automount via NFSv4
>
> - From that interactive shell I would like to use k5start as a wrapper
> so that the process(es) started via their init script can still write
> to the NFSv4 file system and don't get "Permission denied" when the
> tickets expire.
I don't think this works. I think you're going to need to do something
trickier that invokes k5start -H in the user's session periodically, like
using a shell function for the prompt that checks elapsed time from the
last time k5start -H ran. (Alternatively, of course, convince all the
users to run something that does this kind of thing for them. There is a
tray application for GNOME that does this, for example.)
> Is it possible run daemon-like processes indefinitely (provided there's
> no core dump etc.) using k5start? (Sorry for explictly asking this, but
> it's not clear to me from the examples I've come accross on your home
> page).
Yes, but only if you have a keytab. For a user, you don't have a keytab
(which would be equivalent to storing the password for that user on disk),
so that doesn't really work.
> Do I have to take any additional measures when a daemon accesses a NFSv4
> mounted filesystem via automount (That is, do I have to add additional
> principals to my keytab file)? (Currently, only the corresponding user
> principal is in there).
The only thing that should be in your system keytab file is the host/* key
for the system, normally. If you want a daemon to be able to access
Kerberized NFS with authentication, you'll need to create a keytab for
that daemon to use with a principal that has appropriate access to NFS.
Usually you want to store that keytab somewhere other than /etc/krb5.conf
since normally you don't want to run daemons as root, and the keytab file
needs to be readable by whatever user the daemon runs as.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
