38 lines
1.5 KiB
Markdown
38 lines
1.5 KiB
Markdown
# Permanent Kerberos with gssproxy and Password Keytab
|
|
|
|
If there are accounts which run software permamently e.g. used for data collection and shall always be able to write to Kerberos protected network shares, they you may provide the `gssproxy` service with a password keytab.
|
|
After Kerberos for NFS and CIFS is handled transparently and there is no need to `kinit`, renew and anything like this because that is handled in the back by `gssproxy` automatically.
|
|
|
|
**Attention: The keytab file generated in this guide is like a cleartext password and needs to be protected the same!**
|
|
|
|
**Note: when the password of the user changes, a new keytab file with the new password needs to be created.**
|
|
|
|
First you need the user name \(\$USER) and the user ID \(\$UID) to prepare the password keytab:
|
|
|
|
```
|
|
$ # ensure it does not exist, else it gets extended
|
|
$ rm $UID.keytab
|
|
$ ktutil
|
|
ktutil: add_entry -password -k 0 -f -p $USER
|
|
Password for $USER@D.PSI.CH:
|
|
ktutil: wkt $UID.keytab
|
|
ktutil: exit
|
|
$
|
|
```
|
|
Note that inside `ktutil` variables are not interpolated as this is not `bash`.
|
|
To test if the keytab works as intended do
|
|
```
|
|
$ kinit -t $UID.keytab -k $USER
|
|
$
|
|
```
|
|
and without output it is working fine.
|
|
|
|
Then as root (`sudo`) make it known to `gssproxy`:
|
|
```
|
|
# cp $UID.keytab /var/lib/gssproxy/clients/
|
|
# chmod 600 /var/lib/gssproxy/clients/$UID.keytab
|
|
# chown root:root /var/lib/gssproxy/clients/$UID.keytab
|
|
```
|
|
|
|
If you want to [distribute the keytab with Puppet/Hiera](../files/distribute_files), ensure it is [stored in Hiera encrypted](../../puppet/hiera).
|