[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Getting tickets for boot scripts

Sean Brown <sblinux@shaw.ca> writes:

> I'm new to setting up kerberos, and am setting up my first realm. I am running 
> snort on one of my systems, which is started via the rc scripts when OpenBSD 
> boots. It logs its information to a PostgreSQL database on another system. I 
> chose pgsql because it supports kerberos auth. The problem is is that the rc 
> scripts are run as root, but snort drops its privileges to user _snorter 
> after it starts, but I have no idea how to get a valid ticket from the kdc so 
> that I don't have to put a password in the config file.
> So how on earth do I get tickets for different users when its for applications 
> run from rc boot scripts.

I added a new section to the info documentation, is this the answer to
the question your asking ?


4.16 Providing Kerberos credentials to servers and programs

Some service require Kerberos credentials when they start to make
connections to other services or use them when they have started.

The easiest way to get ticket for the a service is to store the key in
a keytab. Both ktutil get and kadmin ext can be used to get a keytab.
ktutil get is better in that way it changes the key/password for the
user. This the problem with the ktutil. It ktutil is used for the same
service principal on several hosts, they keytab will only useful on the
last host. In that case, run the command on host and copy the keytab
around to all other hosts that needs it.

     host# ktutil -k /etc/krb5-service.keytab \
           get -p lha/admin@EXAMPLE.ORG service-principal@EXAMPLE.ORG
     lha/admin@EXAMPLE.ORG's Password:

To get a Kerberos credential file for the service, use kinit in the
-keytab mode, this will not ask for a password but rather that the key
From the keytab.

     service@host$ kinit --cache=/var/run/service_krb5_cache \
                    --keytab=/etc/krb5-service.keytab \

Long running services might need credentials longer then the expiration
time of the tickets. kinit can run in a mode that refreshes the tickets
before the expire. This is useful for services that write into AFS and
other distributed file systems using Kerberos.

     service@host$ kinit --cache=/var/run/service_krb5_cache \
                    --keytab=/etc/krb5-service.keytab \
            service-principal@EXAMPLE.ORG script-to-start-service

PGP signature