I have something working. It may be enough. In principle there’s a two-stage process, with cron getting a ticket from s4u2self, and then using s4u2proxy get the final nfs credentials. If that worked, gssproxy would only be able to get an NFS credential if there’s actually a cron job for the user. because the first step would be done by cron only at the start of a cron job.
At the moment it doesn’t appear that I can give gssproxy a credential cache with the tickets from s4u2self. However I can configure gssproxy to read cron’s key table itself, and thus do both steps of the impersonation. That works just fine. What it means is that users who use cron jobs will be able to access NFS at any time, not just from the cron jobs. But it’s not clear how much difference there is in practice. Root can of course su to any user. But root can also create a cron job for any user, so requiring there to be a cron job doesn’t give any additional real protection. I did verify that ipaAllowToImpersonate works. I would definitely prefer a way to do that through IPA commands. This looks like a better approach than the daemon I’m currently using. > On Oct 22, 2019, at 11:43 AM, Alexander Bokovoy <aboko...@redhat.com> wrote: > > On ti, 22 loka 2019, Charles Hedrick via FreeIPA-users wrote: >> ok. So delegation works. Now we come to the question of how to >> configure it in gssproxy. The man page describes the syntax of the file >> but not how it actually works. Any suggestions? > > That is something for Simo, as gssproxy upstream. Unfortunately, I have > no time right now to investigate that. > > May be you can file a ticket to gssproxy asking to document that? > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
