0

I am running a NFSv4 server and a client on two raspbian buster distributions. I use Kerberos to secure the NFS share.

On the NFS client, I run the gitea service with git user, which is started on boot. I would like to store the git repositories on the NFS share, so the git user will need to access it.

When I login to git user and execute kinit I can access the share without issue.

Is there a way that the gitea service automatically ask a Kerberos ticket and renew it so the service can access the NFS share without my intervention ?

I did some research, I have some ideas in mind but not sure what's the best way to achieve it.

  • I could run a cron that regularly run a kinit.
  • This thread talks about SSSD (which I didn't know about)
  • I could manually do an initial kinit and set a very long ticket lifetime but it is not a good practice in a security point of view.

(I am new to Kerberos and NFS so they may be poorly configured but it works)

Thanks !

ThinkB4
  • 3
  • 1

2 Answers2

0

The answer "client keytab" goes into the right direction. But I couldn't make this work on its own. But with gssproxy it works like a charm. See https://github.com/gssapi/gssproxy/blob/main/docs/NFS.md for details.

0

You have basically two alternatives:

  • running everything as root, since root uses the machine credentials,
  • create a client keytab for your user.

In order to use the second solution you have to locate the default location for client keytabs:

piotr@bialykiel:~$ krb5-config --defcktname
FILE:/etc/krb5/user/%{euid}/client.keytab

and create the keytab using kadmin:

ktadd -k /etc/krb5/user/1234/client.keytab yourprincipal@YOUR.DOMAIN.ORG

Whenever a GSS-API application such as rpc.gssd will not be able to access your credential cache, it will create a new one using the keytab.

Piotr P. Karwasz
  • 5,292
  • 2
  • 9
  • 20
  • Thanks for your answer. I will learn a bit more about keytab and use this solution. – ThinkB4 Nov 06 '19 at 10:41
  • You already have a keytab with the machine's credentials (`/etc/krb5.keytab`). Client keytabs are similar and contain an equivalent of the user's password: if someone else reads them, you must change the password. – Piotr P. Karwasz Nov 06 '19 at 17:05