[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Getting tickets for boot scripts

To: Sean Brown <sblinux@shaw.ca>
Subject: Re: Getting tickets for boot scripts
From: Love <lha@stacken.kth.se>
Date: Mon, 13 Dec 2004 18:20:22 +0100
Cc: heimdal-discuss@sics.se
In-Reply-To: <200412121213.45675.sblinux@shaw.ca> (Sean Brown's message of"Sun, 12 Dec 2004 12:13:45 -0700")
References: <200412121213.45675.sblinux@shaw.ca>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix)

Sean Brown <sblinux@shaw.ca> writes:

> I'm new to setting up kerberos, and am setting up my first realm. I am running 
> snort on one of my systems, which is started via the rc scripts when OpenBSD 
> boots. It logs its information to a PostgreSQL database on another system. I 
> chose pgsql because it supports kerberos auth. The problem is is that the rc 
> scripts are run as root, but snort drops its privileges to user _snorter 
> after it starts, but I have no idea how to get a valid ticket from the kdc so 
> that I don't have to put a password in the config file.
>
> So how on earth do I get tickets for different users when its for applications 
> run from rc boot scripts.

I added a new section to the info documentation, is this the answer to
the question your asking ?

Love

4.16 Providing Kerberos credentials to servers and programs
===========================================================

Some service require Kerberos credentials when they start to make
connections to other services or use them when they have started.

The easiest way to get ticket for the a service is to store the key in
a keytab. Both ktutil get and kadmin ext can be used to get a keytab.
ktutil get is better in that way it changes the key/password for the
user. This the problem with the ktutil. It ktutil is used for the same
service principal on several hosts, they keytab will only useful on the
last host. In that case, run the command on host and copy the keytab
around to all other hosts that needs it.

     host# ktutil -k /etc/krb5-service.keytab \
           get -p lha/admin@EXAMPLE.ORG service-principal@EXAMPLE.ORG
     lha/admin@EXAMPLE.ORG's Password:

To get a Kerberos credential file for the service, use kinit in the
-keytab mode, this will not ask for a password but rather that the key
From the keytab.

     service@host$ kinit --cache=/var/run/service_krb5_cache \
                    --keytab=/etc/krb5-service.keytab \
            service-principal@EXAMPLE.ORG

Long running services might need credentials longer then the expiration
time of the tickets. kinit can run in a mode that refreshes the tickets
before the expire. This is useful for services that write into AFS and
other distributed file systems using Kerberos.

     service@host$ kinit --cache=/var/run/service_krb5_cache \
                    --keytab=/etc/krb5-service.keytab \
            service-principal@EXAMPLE.ORG script-to-start-service

PGP signature

Follow-Ups:
- Re: Getting tickets for boot scripts
  - From: Sean Brown <sblinux@shaw.ca>
- Re: Getting tickets for boot scripts
  - From: Sean Brown <sblinux@shaw.ca>

References:
- Getting tickets for boot scripts
  - From: Sean Brown <sblinux@shaw.ca>

Prev by Date: Re: Problems with unified heimdal/samba domain
Next by Date: Patch to enable account expiration
Prev by thread: Re: Getting tickets for boot scripts
Next by thread: Re: Getting tickets for boot scripts
Index(es):
- Date
- Thread