[plug] FW: Kerberos Ticket for Local Service Account

Chris Hoy Poy chris at hoypoy.id.au
Thu Jul 16 13:50:55 AWST 2020


If it's an interactive account, users should kinit and enter a password or
use a smart key etc to authenticate themselves.

System/service accounts generally have a krb5 keytab that is used to
request valid service tokens. Often you need some other script renewing
those tokens, it depends how krb5 aware the service is. I've just used Cron
in the past (there are many examples of how to do this, from memory!)

/Chris

/Chris

On Thu, 16 Jul 2020, 1:45 pm Alex, <alex at spottedmouse.com> wrote:

> Hi Chris,
>
> Thanks for your help.
>
> kinit shows:
> kinit: Client 'saas at mydomain.local' not found in Kerberos database while
> getting initial credentials
>
> klist shows:
> klist: Credentials cache keyring 'persistent:5050:5050' not found
>
> I think you are right in that I need a ticket. What is the best way to
> associate one to a system account in way that ticket expiration is handled
> seamlessly. I did consider running kinit every couple of hours, but this
> feels like a horrible solution. Are there any other options of maintaining
> a valid ticket.
>
> Kind regards
> Alex
>
>
> On 2020-07-16 13:19, Chris Hoy Poy wrote:
> > What's kinit show for your second user? It sounds like it needs a
> > token (or access to one).
> >
> > Usually every user that requires access needs a ticket (so kinit needs
> > to reflect that, or it will bounce)
> >
> > /Chris
> >
> > On Thu, 16 Jul 2020, 1:16 pm Alex, <alex at spottedmouse.com> wrote:
> >
> >> Hi all,
> >>
> >> I am looking at running a service under a local system account on a
> >> linux server, but need to be able to access a NFS v4 share with
> >> Kerberos enabled security. As root user I can see that using the
> >> machine’s Kerberos ticket access to the share works successfully.
> >> However as soon as I try to access the share using another local
> >> system account access to the share is denied.
> >>
> >> I am hoping we have a local Kerberos expert who might be able to
> >> point me in the direction on how this is usually done. Any pointers
> >> on how to allow local system users access to the Kerberos tickets and
> >> the share would really help me out.
> >>
> >> Kind regards
> >>
> >> Alex_______________________________________________
> >> PLUG discussion list: plug at plug.org.au
> >> http://lists.plug.org.au/mailman/listinfo/plug
> >> Committee e-mail: committee at plug.org.au PLUG Membership:
> >> http://www.plug.org.au/membership
> > _______________________________________________
> > PLUG discussion list: plug at plug.org.au
> > http://lists.plug.org.au/mailman/listinfo/plug
> > Committee e-mail: committee at plug.org.au PLUG Membership:
> > http://www.plug.org.au/membership
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.plug.org.au/pipermail/plug/attachments/20200716/e87eca09/attachment.html>


More information about the plug mailing list