We have kerberos everywhere, and use it for access to NFS home directories.

So what do we do about cron jobs? We have a solution, but it involves custom 
code that impersonates the KDC. I’d like to do someone more standard.

Constained delegation seems like a possibility. But I’d need to be able to say 
“allow cron to get credentials for NFS for a specific group of users.” Since 
all of our systems run cron, I don’t want to allow any system to be able to get 
an NFS credential for any user. That would let root on any system see anyone’s 
files. So the user has to authorize it. Presumably if the user runs his own 
desktop, he’s willing to allow it to get credentials for himself. But I 
wouldn’t trust his machine to be able to get mine.

The constrained delegation mechanism seems to handle this, except that I don’t 
see a way to constrain it to specific users. Am I missing something?

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to