[systemd-devel] Service that runs with network credentials
Mantas Mikulėnas
grawity at gmail.com
Thu Dec 5 11:54:35 UTC 2019
On Thu, Dec 5, 2019 at 9:27 AM Kenneth Porter <shiva at sewingwitch.com> wrote:
> What's the best practice for defining a service that might require network
> credentials to run? Are there example unit files that do this? How does
> one
> set up the dependencies to access an LDAP or Active Directory server, for
> example?
>
It varies a bit, as Linux doesn't really have a unified concept of "network
credentials" for services.
If the server accepts Kerberos authentication (e.g. MS AD), then you can:
a) set up a separate service that runs 'k5start', obtaining Kerberos
tickets based on /etc/krb5.keytab, allowing you to use
Requires/After=k5start at foo.service and
Environment="KRB5CCNAME=FILE:/tmp/krb5cc_foo";
or b) with MIT Krb5, let the library do this automatically by specifying a
'client keytab' via Environment="KRB5_CLIENT_KTNAME=/etc/ldap/krb5.keytab";
or c) set up gss-proxy in client mode, then use
Environment="GSS_USE_PROXY=1".
Maybe Samba or SSSD already have something to make this more seamless, too.
Note: While there are many ways to use an AD account to access a remote
server, you *cannot* run the service process itself under an AD/LDAP
account, i.e. you cannot specify non-local accounts in User=. But that's
fine, because on Linux it wouldn't give you any network credentials anyway.
--
Mantas MikulÄ—nas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20191205/c547af3c/attachment.html>
More information about the systemd-devel
mailing list