I have created a keytab
file under the user home directory $HOME/client.keytab
. The authentication cache file is in it's default location /tmp/krb5cc_%U
(where %U is the UID). Now, I have this simple systemd
unit
file to launch the service, and get authentication keys:
[Unit]
Description=Initializes, caches and renews Kerberos tickets for user
After=default.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=/usr/bin/kdestroy -q -c /tmp/krb5cc_%U
ExecStart=/usr/bin/kinit -V -l 30d -r 365d -k -t %h/client.keytab -c /tmp/krb5cc_%U %[email protected]
ExecStartPost=/usr/bin/krenew -b -K 60 -k /tmp/krb5cc_%U
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=KerberosTicketing
[Install]
WantedBy=default.target
This works perfectly, and creates and stores the Kerberos authentication tickets if the After
points to default.target
. However, why default.target
? That is quite late in the boot process. I would rather have it work at multi-user.target
, so that I can use the generated tickets to mount remote file systems from servers that do not accept public/private authentication.
EDIT: If the After
is anything but default.target
or later, kinit
fails with the error kinit: Cannot find KDC for realm "EXAMPLE.COM" while getting initial credentials
.
I am basically trying to accomplish this: SSHFS automount through FSTAB using Kerberos (GSSAPI).
For systemd --user units, that's where the time starts. The entire --user manager starts late in the boot process – it is a system service ([email protected]) which is started by systemd-logind, which itself always starts during late boot.
To order the service against earlier units (like remote-fs.target), you need to convert this to a system service. Then your .mount units (or your fstab entries) will be able to specify dependencies on your service, as well.
Note that WantedBy= does not define when your unit will be queued (in a way it does the opposite). Instead, that is defined by the (implicit and explicit) Before=/After= options. It is perfectly possible and common to have a unit with "WantedBy=multi-user.target", but also "DefaultDependencies=no" and "Before=remote-fs.target".
As a side note, do not run daemons such as krenew -K
via ExecStartPost=. The only place that 'officially' allows long-running processes (and provides such features as Restart=) is the main ExecStart=, so if you want periodic renewal, put your krenew -K
there.
You can run kinit as a second ExecStartPre=, or use k5start -K
which will avoid the need to manually kinit.
ExecStart=/usr/bin/k5start -L -b -K 30 -f %h/client.keytab -k /tmp/krb5cc_%U -u %[email protected]
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments