On Thu, 2013-06-20 at 14:57 +0930, William Brown wrote:
GSS proxy looks like a great new feature in F19.
However, Everything I am reading talks about the API benefits of this,
and how to integrate this with applications.
The main issue with application is with those that are 'smarter' than
average and implemented direct kerberos calls to kinit or check for
ccaches or what not. These apps needs to be changed to remove those
operations or make them optional, as the point of using gssproxy is that
they have no direct access to the keytab or the ccache and therefore
those operations will fail. In general removing code is actually easy
But the most important task
of actually providing the keytabs to GSS proxy seems to be undocumented.
We are indeed lacking a bit in documentation.
But if you look at the default configuration you should see how to
specify where the keytab is.
How do you add an exported keytab into GSS proxy?
We provide a directory in /var/lib/gssproxy/clients where yoiu can drop
keytabs, but you are not restricted to that directory, for specific
service you can add custom configurtion and point to an arbitrary files.
(I am off list, so please make sure to CC me on a reply)
Simo Sorce * Red Hat, Inc * New York