can gssproxy be used for both cron jobs and normal users?

can gssproxy be used for both cron jobs and normal users?

[Charles Hedrick]

<div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">About a month ago there was discussion about gssproxy, including use for cron jobs.</div><div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><br></div><div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">I just did some testing. With constrained delegation I can make cron jobs work. However when I do, normal users can no longer use NFS. It appears that when rpc.gssd has GSS_USE_PROXY set, it always uses the proxy. So normal Kerberos tickets from login or ssh don't work. I looked at the source for gssproxy. It appears that when impersonation is turned on, it always tries to impersonate.&nbsp;It doesn't check if there's a TGT that would allow it to get a normal service ticket.</div><div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><br></div><div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">Unless I'm missing something we can't actually use this for cron job, since the system couldn't be used for anything else.</div><div class="elementToProof" style="font-family: Aptos, Aptos_EmbeddedFont, Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);"><br></div>

can gssproxy be used for both cron jobs and normal users?

[Charles Hedrick]

My apologies for the previous copy. That was Microsoft's idea of plain 
text. This is Thunderbird's.

-----------------------------

About a month ago there was discussion about gssproxy, including use for 
cron jobs.

I just did some testing. With constrained delegation I can make cron 
jobs work. However when I do, normal users can no longer use NFS. It 
appears that when rpc.gssd has GSS_USE_PROXY set, it always uses the 
proxy. So normal Kerberos tickets from login or ssh don't work. I looked 
at the source for gssproxy. It appears that when impersonation is turned 
on, it always tries to impersonate. It doesn't check if there's a 
TGT that would allow it to get a normal service ticket.

Re: can gssproxy be used for both cron jobs and normal users?

[Charles Hedrick]

> I just did some testing. With constrained delegation I can make cron
> jobs work. However when I do, normal users can no longer useNFS. It
> appears that when rpc.gssd has GSS_USE_PROXY set, it always uses the
> proxy. So normal Kerberos tickets from login or ssh don't work. I looked
> at the source for gssproxy. It appears that when impersonation is turned
> on, it always tries to impersonate. It doesn't check if there's a
> TGT that would allow it to get a normal service ticket.

The answer seems to be that

GSSPROXY_BEHAVIOR=LOCAL_FIRST

must be set. The default effectively uses only gssproxy, so users who 
could access NFS using a normal TGT fail if impersonation isn't set for 
them. However LOCAL_FIRST causes it to try normal credentiais before 
using gssproxy.