forked from Controls/gitea-pages
user password keytab with gssproxy
This commit is contained in:
@@ -0,0 +1,30 @@
|
||||
# Permanent Kerberos with gssproxy and Password Keytab
|
||||
|
||||
If there are accounts which run software permamently e.g. used for data collection and shall always be able to write to Kerberos protected network shares, they you may provide the `gssproxy` service with a password keytab.
|
||||
After Kerberos for NFS and CIFS is handled transparently and there is no need to `kinit`, renew and anything like this because that is handled in the back by `gssproxy` automatically.
|
||||
|
||||
**Attention: The keytab file generated in this guide is like a cleartext password and needs to be protected the same!**
|
||||
|
||||
**Note: when the password of the user changes, a new keytab file with the new password needs to be created.**
|
||||
|
||||
First you need the user name ($USER) and the user ID ($UID) to prepare the password keytab:
|
||||
|
||||
```
|
||||
$ # ensure it does not exist, else it gets extended
|
||||
$ rm $UID.keytab
|
||||
$ ktutil
|
||||
ktutil: add_entry -password -k 0 -f -p $USER
|
||||
Password for $USER@D.PSI.CH:
|
||||
ktutil: wkt $UID.keytab
|
||||
ktutil: exit
|
||||
$
|
||||
```
|
||||
Note that inside `ktutil` variables are not interpolated as this in not bash.
|
||||
|
||||
|
||||
Then as root (`sudo`) make it known to `gssproxy`:
|
||||
```
|
||||
# cp $UID.keytab /var/lib/gssproxy/clients/
|
||||
# chmod 600 /var/lib/gssproxy/clients/$UID.keytab
|
||||
# chown root:root /var/lib/gssproxy/clients/$UID.keytab
|
||||
```
|
||||
Reference in New Issue
Block a user