[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Getting tickets for boot scripts



4.16 Providing Kerberos credentials to servers and programs
> ===========================================================
>
> Some service require Kerberos credentials when they start to make
> connections to other services or use them when they have started.
>
> The easiest way to get ticket for the a service is to store the key in
> a keytab. Both ktutil get and kadmin ext can be used to get a keytab.
> ktutil get is better in that way it changes the key/password for the
> user. This the problem with the ktutil. It ktutil is used for the same
> service principal on several hosts, they keytab will only useful on the
> last host. In that case, run the command on host and copy the keytab
> around to all other hosts that needs it.
>
>      host# ktutil -k /etc/krb5-service.keytab \
>            get -p lha/admin@EXAMPLE.ORG service-principal@EXAMPLE.ORG
>      lha/admin@EXAMPLE.ORG's Password:
>
> To get a Kerberos credential file for the service, use kinit in the
> -keytab mode, this will not ask for a password but rather that the key
> From the keytab.
>
>      service@host$ kinit --cache=/var/run/service_krb5_cache \
>                     --keytab=/etc/krb5-service.keytab \
>             service-principal@EXAMPLE.ORG
>
> Long running services might need credentials longer then the expiration
> time of the tickets. kinit can run in a mode that refreshes the tickets
> before the expire. This is useful for services that write into AFS and
> other distributed file systems using Kerberos.
>
>      service@host$ kinit --cache=/var/run/service_krb5_cache \
>                     --keytab=/etc/krb5-service.keytab \
>             service-principal@EXAMPLE.ORG script-to-start-service
Yes I think this is it. I won't be able to try until the weekend but I think I 
have it straight.