URL:
https://github.com/SSSD/sssd/pull/616
Title: #616: become_user: add supplementary groups so ad provider can access keytab
asheplyakov commented:
"""
I wonder if you wouldn't be able to achieve the same by setting
the primary group of the _sssd user to _keytab?
This way other daemons which need access to keytab (apache, postgresql, you name it) might
be able to read sssd caches and logs (which belong to _sssd:_keytab). It looks like
sssd is careful enough to chmod 600 all those files, yet it's better to avoid possible
bugs.
could the keytab file allow the sssd user to read the contents with a
POSIX ACL?
- often keytab is managed automatically by `samba-tool join` or similar tools. Patching
these tools to set proper ACLs *when sssd package is installed* doesn't look like a
good idea. On the other hand, it's enough to patch libkrb5 to force correct
group/permissions of /etc/krb5.keytab, and the patch is simple enough (see
http://git.altlinux.org/people/sin/packages/?p=krb5.git;a=blob;f=krb5-1.1...)
- also not every filesystem/kernel support POSIX ACLs (think of those NAS devices), but
virtually all sensible filesystems know what uid/gid are.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/616#issuecomment-405040134