0

there is something I can't grasp about security in Linux.

I have a piece of software, it's running as a service on user X, it needs RW for directory Y owned by user Z and group C (both which is in LDAP) (this is running on a separate VM - and vm is joined to the kerberos REALM). The Directory Y is NFS mounted. Using posix ACL, I added user X to the directory

I have FreeIPA (kerberos) auth, would it be wise to migrate user X to kerberos and add it group C?

The directory is also used for samba share (windows clients) so multiple users are accessing it and they are in group C.

How would I go about service accounts? Any recommended reading on this?

ColdIce
  • 3
  • 2

1 Answers1

0

Sure, you can make such user and group accounts in FreeIPA. I suggest making sure you use the same UID/GID, home directory, etc., that would be used on a standalone system, and being aware that such accounts will then be available on every computer on the domain. Which means if there is a home directory it should exist on every computer on the domain that might use that service account. For instance, you might create user and group apache with UID/GID 48/48 and ensure that its home directory /usr/share/httpd exists by installing the httpd package on every domain member that might need to use that user and group. Which you'd do anyway because it would be httpd that would be using that user and group!

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940