I'm looking to understand a little better how the framework is using GSS Proxy to authenticate the user who is accessing the tools. The information here (https://www.freeipa.org/page/Troubleshooting/PrivilegeSeparation) is nice and I've been reading through the numerous libraries, python files, and configs... but I can't find how they are telling the WSGI app to use GSS to impersonate.
Any guidance is appreciated, reading suggestions, examples, what have you :)
*ipa help topics* gives me
# ipa help topics
ipa: ERROR: System encoding must be UTF-8, 'ANSI_X3.4-1968' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
# env | egrep LANG\|LC
# echo $?
Shouldn't the command line interface work by default? Why not silently
assume UTF-8 and continue?
Printing a warning might be OK.
We currently do rsync backups of our server. On an MIT server, you’d want to omit the stash file. But IPA doesn’t use that. Is there anything like that that should be omitted? I’m not sure just how freeipa bootstraps trust when it starts up.
I have software running on a freeipa client node which is started via systemd by using a freeipa account.
The software deamon needs to access the software related config files stored on an kerberized nfs share.
I really wonder what is the recommended and stable way to make sure that the software (so the ipa account)
has reliable access to the kerberized nfs share - without any manual actions like ssh login, etc.
Basically it’s clear that somehow there must be a valid kerberos ticket for the related freeipa account which connects
to the freeipa based nfs service.
So, sure there is an option to run some kind of cronjob which cares for the user related valid kerberos ticket,
but I think this is not the way to go … especially I don’t want to have any passwords for „kinit tasks“ stored on the
system for security reasons.
I hope there is an easy and secure configuration which covers that use case ^^^:)
Any hints are welcome !