31 lines
1.3 KiB
Markdown
31 lines
1.3 KiB
Markdown
# Permanent Kerberos with gssproxy and Password Keytab
|
|
|
|
If there are accounts which run software permamently e.g. used for data collection and shall always be able to write to Kerberos protected network shares, they you may provide the `gssproxy` service with a password keytab.
|
|
After Kerberos for NFS and CIFS is handled transparently and there is no need to `kinit`, renew and anything like this because that is handled in the back by `gssproxy` automatically.
|
|
|
|
**Attention: The keytab file generated in this guide is like a cleartext password and needs to be protected the same!**
|
|
|
|
**Note: when the password of the user changes, a new keytab file with the new password needs to be created.**
|
|
|
|
First you need the user name \(\$USER) and the user ID \(\$UID) to prepare the password keytab:
|
|
|
|
```
|
|
$ # ensure it does not exist, else it gets extended
|
|
$ rm $UID.keytab
|
|
$ ktutil
|
|
ktutil: add_entry -password -k 0 -f -p $USER
|
|
Password for $USER@D.PSI.CH:
|
|
ktutil: wkt $UID.keytab
|
|
ktutil: exit
|
|
$
|
|
```
|
|
Note that inside `ktutil` variables are not interpolated as this is not `bash`.
|
|
|
|
|
|
Then as root (`sudo`) make it known to `gssproxy`:
|
|
```
|
|
# cp $UID.keytab /var/lib/gssproxy/clients/
|
|
# chmod 600 /var/lib/gssproxy/clients/$UID.keytab
|
|
# chown root:root /var/lib/gssproxy/clients/$UID.keytab
|
|
```
|