1.5 KiB
Permanent Kerberos with gssproxy and Password Keytab
If there are accounts which run software permamently e.g. used for data collection and shall always be able to write to Kerberos protected network shares, they you may provide the gssproxy service with a password keytab.
After Kerberos for NFS and CIFS is handled transparently and there is no need to kinit, renew and anything like this because that is handled in the back by gssproxy automatically.
Attention: The keytab file generated in this guide is like a cleartext password and needs to be protected the same!
Note: when the password of the user changes, a new keytab file with the new password needs to be created.
First you need the user name ($USER) and the user ID ($UID) to prepare the password keytab:
$ # ensure it does not exist, else it gets extended
$ rm $UID.keytab
$ ktutil
ktutil: add_entry -password -k 0 -f -p $USER
Password for $USER@D.PSI.CH:
ktutil: wkt $UID.keytab
ktutil: exit
$
Note that inside ktutil variables are not interpolated as this is not bash.
To test if the keytab works as intended do
$ kinit -t $UID.keytab -k $USER
$
and without output it is working fine.
Then as root (sudo) make it known to gssproxy:
# cp $UID.keytab /var/lib/gssproxy/clients/
# chmod 600 /var/lib/gssproxy/clients/$UID.keytab
# chown root:root /var/lib/gssproxy/clients/$UID.keytab
If you want to distribute the keytab with Puppet/Hiera, ensure it is stored in Hiera encrypted.