On Sat, Jan 18, 2025 at 6:51 PM Troels Arvin via sssd-users
<[email protected]> wrote:
> SSSD is a great way to maintain server's joined relation to an
> active directory, for example. In combination with msktutil, one may
> manage SPNs in an elegant way, forming the basis of single-signe-on
> into (e.g.) Postgres.
>
> However, there doesn't seem to be a good way to maintain derived
> keytabs from the system's main /etc/krb5.keytab. A use case I have
> is that I need the 'postgres/' keytab entries from a server's main
> krb5.keytab to be available for the server's Postgres database as
> /etc/postgresql-common/krb5.conf with special permissions. (Have I
> overlooked a good, existing solution for it?)
A better way would be to use gssproxy(8), which is designed exactly
for this use case. If postgresql uses the GSSAPI libraries for
Kerberos, it should work. And at least for Fedora and RHEL
derivatives, that appears to be the case:
$ objdump -x /usr/bin/postgres | grep NEEDED | grep gssapi
NEEDED libgssapi_krb5.so.2
So, for /etc/gssproxy/50-postgresql.conf:
[service/postgresql]
mechs = krb5
cred_store = keytab:/etc/krb5.keytab
euid = postgres
And for /etc/systemd/system/postgresql.service.d/use-gss-proxy.conf:
[Service]
Environment=GSS_USE_PROXY=1
For more information about gssproxy, see:
https://github.com/gssapi/gssproxy/tree/main/docs
Note that some of the GitHub documentation above is outdated. For
example, the systemd ".include" directive is deprecated; using drop-in
files in the /etc/systemd/system/SERVICENAME.service.d/ directory (as
per my example above) is now preferred.
--
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
