diff --git a/admin-guide/configuration/basic/gssproxy_with_keytab.md b/admin-guide/configuration/basic/gssproxy_with_keytab.md new file mode 100644 index 00000000..fa7a3b5a --- /dev/null +++ b/admin-guide/configuration/basic/gssproxy_with_keytab.md @@ -0,0 +1,30 @@ +# Permanent Kerberos with gssproxy and Password Keytab + +If there are accounts which run software permamently e.g. used for data collection and shall always be able to write to Kerberos protected network shares, they you may provide the `gssproxy` service with a password keytab. +After Kerberos for NFS and CIFS is handled transparently and there is no need to `kinit`, renew and anything like this because that is handled in the back by `gssproxy` automatically. + +**Attention: The keytab file generated in this guide is like a cleartext password and needs to be protected the same!** + +**Note: when the password of the user changes, a new keytab file with the new password needs to be created.** + +First you need the user name ($USER) and the user ID ($UID) to prepare the password keytab: + +``` +$ # ensure it does not exist, else it gets extended +$ rm $UID.keytab +$ ktutil +ktutil: add_entry -password -k 0 -f -p $USER +Password for $USER@D.PSI.CH: +ktutil: wkt $UID.keytab +ktutil: exit +$ +``` +Note that inside `ktutil` variables are not interpolated as this in not bash. + + +Then as root (`sudo`) make it known to `gssproxy`: +``` +# cp $UID.keytab /var/lib/gssproxy/clients/ +# chmod 600 /var/lib/gssproxy/clients/$UID.keytab +# chown root:root /var/lib/gssproxy/clients/$UID.keytab +```