Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

document default_client_keytab_name MIT Kerberos feature #150

Open
ktdreyer opened this issue Apr 21, 2020 · 1 comment
Open

document default_client_keytab_name MIT Kerberos feature #150

ktdreyer opened this issue Apr 21, 2020 · 1 comment

Comments

@ktdreyer
Copy link
Owner

ktdreyer commented Apr 21, 2020

When the Koji client makes an authenticated request with requests-gssapi, and the client has no Kerberos TGT in the cache, MIT Kerberos will attempt to authenticate with a keytab at
/var/kerberos/krb5/user/$EUID/client.keytab.

A blog post that explains more about this feature of Kerberos: https://adam.younglogic.com/2015/05/auto-kerberos-authn/

This means that if the remote host has a keytab at /var/kerberos/krb5/user/$EUID/client.keytab, then koji-ansible will use this keytab for authentication. Users do not need to run kinit in a playbook or set a keytab in a Koji profile. This really simplifies the use of koji-ansible with Kerberos.

We should document this (here and Koji upstream) to make it easier to automate authentication.

@ktdreyer
Copy link
Owner Author

As documented at https://web.mit.edu/kerberos/krb5-latest/doc/basic/keytab_def.html#default-client-keytab , MIT Kerberos first checks a KRB5_CLIENT_KTNAME environment variable, and then the default_client_keytab_name setting in /etc/krb5.conf.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant