[systemd-devel] Service that runs with network credentials

Bruno Vernay brunovern.a at gmail.com
Thu Dec 5 13:32:56 UTC 2019 

Maybe the keyring is part of the answer :
http://man7.org/linux/man-pages/man7/session-keyring.7.html
You may find many pointers here
https://gitlab.com/BrunoVernay/systemd-playground/tree/master/12-keyring (some
may be outdated)
It is a way to make credential available to a service.


On Thu, Dec 5, 2019 at 12:54 PM Mantas MikulÄ—nas <grawity at gmail.com> wrote:

> On Thu, Dec 5, 2019 at 9:27 AM Kenneth Porter <shiva at sewingwitch.com>
> wrote:
>
>> What's the best practice for defining a service that might require
>> network
>> credentials to run? Are there example unit files that do this? How does
>> one
>> set up the dependencies to access an LDAP or Active Directory server, for
>> example?
>>
>
> It varies a bit, as Linux doesn't really have a unified concept of
> "network credentials" for services.
>
> If the server accepts Kerberos authentication (e.g. MS AD), then you can:
> a) set up a separate service that runs 'k5start', obtaining Kerberos
> tickets based on /etc/krb5.keytab, allowing you to use
> Requires/After=k5start at foo.service and
> Environment="KRB5CCNAME=FILE:/tmp/krb5cc_foo";
> or b) with MIT Krb5, let the library do this automatically by specifying a
> 'client keytab' via Environment="KRB5_CLIENT_KTNAME=/etc/ldap/krb5.keytab";
> or c) set up gss-proxy in client mode, then use
> Environment="GSS_USE_PROXY=1".
> Maybe Samba or SSSD already have something to make this more seamless, too.
>
> Note: While there are many ways to use an AD account to access a remote
> server, you *cannot* run the service process itself under an AD/LDAP
> account, i.e. you cannot specify non-local accounts in User=. But that's
> fine, because on Linux it wouldn't give you any network credentials anyway.
>
> --
> Mantas MikulÄ—nas
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel



-- 
Bruno VERNAY
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20191205/5a5e42c3/attachment.html>

More information about the systemd-devel mailing list