<div dir="ltr">Maybe the keyring is part of the answer :
<a href="http://man7.org/linux/man-pages/man7/session-keyring.7.html">http://man7.org/linux/man-pages/man7/session-keyring.7.html</a><div>You may find many pointers here <a href="https://gitlab.com/BrunoVernay/systemd-playground/tree/master/12-keyring">https://gitlab.com/BrunoVernay/systemd-playground/tree/master/12-keyring</a> (some may be outdated)</div><div>It is a way to make credential available to a service.</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Dec 5, 2019 at 12:54 PM Mantas Mikulėnas <<a href="mailto:grawity@gmail.com">grawity@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">On Thu, Dec 5, 2019 at 9:27 AM Kenneth Porter <<a href="mailto:shiva@sewingwitch.com" target="_blank">shiva@sewingwitch.com</a>> wrote:<br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">What's the best practice for defining a service that might require network <br>
credentials to run? Are there example unit files that do this? How does one <br>
set up the dependencies to access an LDAP or Active Directory server, for <br>
example?<br></blockquote><div><br></div><div>It varies a bit, as Linux doesn't really have a unified concept of "network credentials" for services.</div><div><br></div><div>If the server accepts Kerberos authentication (e.g. MS AD), then you can:</div><div>a) set up a separate service that runs 'k5start', obtaining Kerberos tickets based on /etc/krb5.keytab, allowing you to use Requires/After=k5start@foo.service and Environment="KRB5CCNAME=FILE:/tmp/krb5cc_foo";</div><div>or b) with MIT Krb5, let the library do this automatically by specifying a 'client keytab' via Environment="KRB5_CLIENT_KTNAME=/etc/ldap/krb5.keytab";</div><div>or c) set up gss-proxy in client mode, then use Environment="GSS_USE_PROXY=1".</div><div>Maybe Samba or SSSD already have something to make this more seamless, too.</div></div><div><br></div><div>Note: While there are many ways to use an AD account to access a remote server, you *cannot* run the service process itself under an AD/LDAP account, i.e. you cannot specify non-local accounts in User=. But that's fine, because on Linux it wouldn't give you any network credentials anyway.</div><div><br></div>-- <br><div dir="ltr"><div dir="ltr">Mantas Mikulėnas</div></div></div>
_______________________________________________<br>
systemd-devel mailing list<br>
<a href="mailto:systemd-devel@lists.freedesktop.org" target="_blank">systemd-devel@lists.freedesktop.org</a><br>
<a href="https://lists.freedesktop.org/mailman/listinfo/systemd-devel" rel="noreferrer" target="_blank">https://lists.freedesktop.org/mailman/listinfo/systemd-devel</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">Bruno VERNAY<br></div>