Yes,
I am using nsupdate. So not sure whether the /etc/dhcp/dhcp.keyab would solve the problem
(can I use the -k switch to specify the keytab location?)
That said, I still believe it would be the best to keep all keytabs on the same location
(so sssd could renew them, one day) and use gss-proxy to leverage privileges - that's
the intended purpose of this daemon anyway, is it?
Thanks for the info regarding RH-7.
Ondrej
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Simo Sorce
Sent: Wednesday, May 01, 2013 11:02 PM
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] Gss-proxy
On Wed, 2013-05-01 at 16:53 -0400, Simo Sorce wrote:
But whether you can use it or not depends on whether the dhcp server
uses just GSSAPI or still does some native kerberos calls.
If the latter it should be patched first to not use krb calls.
Are you using a script that calls nsupdate ? Or something else ?
If you are using nsupdate you'll be fine, I checkd it uses only GS calls, so in
theory it could be use in conjunction with gss-proxy and obtain privilege separation this
way.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users