How to make sssd obtain a ticket to mount NFS shares for the service?

Question

I have a working setup in a corporate environment where we use RHEL7 together with SSSD to authenticate against Active Directory. Regular authentication works well.

I managed to get the NFSv4 server to work with NFSv4 clients all using the same domain together with Kerberos and SSSD but only in an interactive fashion (ie: SSSD auto-create ticket at login time or manually using kinit).

The purpose of these NFS shares is to store some content that will need to be accessible from applicative users (ie httpd or tomcat).

What is the best approach for such deployment to make the access possible to the user in a non-interactive way?

do you need to authenticate users of just httpd/tomcat service? — kofemann, Nov 08 '17 at 20:56
It is just for services. I got it working using gssproxy with keytab and cred files in appropriate location. That was the only missing part. — Nicolas, Nov 09 '17 at 09:05

score 0 · Accepted Answer · answered Jan 01 '19 at 00:26

The approach I've generally used for this:

Create a user account for the service that requires access
Use kadmin to create a keytab for that service.
Use a process such as k5start to ensure the keytab is refreshed at appropriate intervals.

For ease of management, I've often used this SystemD unit file (or a variant) for k5start. Configure it as a user service managed by systemd.

[Unit]
Description=Service User Kerberos Auth (Keytab)
After=dbus.service
After=network.target
After=NetworkManager.service

[Service]
Environment="KEYTAB=${HOME}/krb5.keytab"
Environment="INTERVAL=120"
Type=simple
ExecStart=/usr/bin/k5start -f ${KEYTAB} -K ${INTERVAL} -L -u ${USER}

How to make sssd obtain a ticket to mount NFS shares for the service?

1 Answers1