On Wed, 2013-05-01 at 19:16 +0000, Ondrej Valousek wrote:

Probably not the best list to ask this question, but I will try anyway.

Can we expect to gss-proxy in RHEL-7? The thing is that I would like to let Linux-based dhcp server to update windows based DNS server via gss-tsig updates and hate 'chgrp dhcpd /etc/krb5.keytab' dirty hack.

You do not need to do this. Get a DNS/hostname principal for your dhcp server and store it's keys in /etc/dhcp/dhcp.keytab or where more appropriate for your dhcp server to use it. (adjust bind ACIs as approppriate if you are switching from using host/hostanme to DNS/hostname principals in doing so.

That said, gss-proxy will be in Fedora19, and there is a good chance it will be in RHEL7 since the start.

But whether you can use it or not depends on whether the dhcp server uses just GSSAPI or still does some native kerberos calls. If the latter it should be patched first to not use krb calls.

Are you using a script that calls nsupdate ? Or something else ?

I guess sssd should use gss-proxy as well.

sssd is one of the most trusted services in the system so it doesn't really need privilege separation. Also sssd does not use GSSAPI for many operations so the GSS-Proxy wouldn't help.

Simo.

Yes,

I am using nsupdate. So not sure whether the /etc/dhcp/dhcp.keyab would solve the problem (can I use the -k switch to specify the keytab location?) That said, I still believe it would be the best to keep all keytabs on the same location (so sssd could renew them, one day) and use gss-proxy to leverage privileges - that's the intended purpose of this daemon anyway, is it?

Thanks for the info regarding RH-7.

Ondrej

-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Simo Sorce Sent: Wednesday, May 01, 2013 11:02 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Gss-proxy

On Wed, 2013-05-01 at 16:53 -0400, Simo Sorce wrote:

But whether you can use it or not depends on whether the dhcp server uses just GSSAPI or still does some native kerberos calls. If the latter it should be patched first to not use krb calls.

Are you using a script that calls nsupdate ? Or something else ?

If you are using nsupdate you'll be fine, I checkd it uses only GS calls, so in theory it could be use in conjunction with gss-proxy and obtain privilege separation this way.

Simo.

-- Simo Sorce * Red Hat, Inc * New York

_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users