On 2017-07-27 12:17, Darac Marjal via FreeIPA-users wrote: > Hi all, > > I'm fairly new to FreeIPA, but I'm using it to sort out single-sign-on > on a few computers on my small network. > > So far, I've managed to setup up automounting of krb5i-protected shares > on my NAS. I can see that, when I log in a kerberos ticket is arranged > and then that is used to authenticate to the NFS server. > > What I'm now wondering about is how things work with cron. I would like > to leave some of my machines unattended, but still have them run cron > jobs that access the NFS filesystems. > > Is this a non-problem (i.e. is cron going to be able to access my files > without interaction, in the same way that it would on a regular system?) > Or do I need to arrange something beforehand to allow cron access (I've > seen various references to S4U2Proxy, to creating a "user/cron@REALM" > user and mapping that to just "user@REALM" and also to simply running > kinit before each job.) > > Pointers to documentation would be useful. > > For reference, I'm running FreeIPA on Fedora 25, but my client machines > are typically Debian 9.
You don't have to resort to a cron job to request and refresh a TGT. It's much simpler to use a keytab for your service and let Kerberos acquire a TGT automatically. You can either place the keytab in a special location, set the env var KRB5_CLIENT_KTNAME or use GSSProxy to handle the keytab for you. With a client keytab, you don't have to call kinit at all. Christian -- Christian Heimes Senior Software Engineer, Identity Management and Platform Security Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
signature.asc
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
