You are not logged in.

#1 2018-02-20 14:54:11

leemorton
Member
Registered: 2018-02-20
Posts: 1

Kerberos + Winbind + Multiple Systemd Units

Hello! I have a requirement to use various Systemd timers to launch one app with different parameters of my choosing as and when I need to add a new timer. Each timer job will be authenticating via Kerberos to do its business.

The various different timers will likely be running their jobs at the same time in a lot of cases, my app currently manages and keeps alive Kerberos tickets internally via the use of kinit and keytabs. But also, there will be more than one timer job running authing against the same active directory account. I do have the machine joined to the domain via winbind.

So I have a few questions based on this scenario
1) How does kinit+winbind fundamentally track its tickets? Per user, per session, per process id? For example PID 1 + 2 + 3 all systemd timer units running at the same time as a root, but each one kinits to different domain users. Will the last kinit fired overwrite the first one for root, or will it be isolated to its process?
2) Should I be running these all under root, or should I be running them under one service principal domain user (preferred).
3) If I should be running multiple timers (adding new ones regularly) under one user simultaneously using different Kerberos tickets, how is that best managed and if the unit is not running under root how/where should I be logging from the services? Because /var/log is restricted to root.

So my overall question is, how should this be, or how would you set this scenario up? The important part where my understanding lacks is being able to isolate Kerberos tickets per process. Even via cron would be fine if that is better suited.

Thanks for your advice!

Last edited by leemorton (2018-02-20 15:02:12)

Offline

Board footer

Powered by FluxBB