[Freeipa-users] ipa and cronjob

Dmitri Pal dpal at redhat.com
Wed Nov 14 00:04:11 UTC 2012 

On 11/13/2012 05:10 PM, george he wrote:
> Hi all,
> I have a cronjob run daily by an ipa user, which accesses nfs mounted
> data on the nfs server (another machine in the realm).
> The problem is when the user was away for a few days, his credential
> expired and the cronjob did not run until he came back and logged on
> to the system again. Then all halted cronjob from the past days
> started to run, which is not desired because all of them were doing
> the same thing.
> My question is: Can we keep the cronjob running when the user's
> credential is expired? If we cannot, then can we skip or kill all of
> the old cronjobs but not the most recent one?
> Thanks,
> George
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Which cron jobs to keep and which ones to kill is really something you
have to decide for yourself and script in your environment.

There are several ways to overcome the issue though.
Does the job really have to run as user?
If so you might want to consider allowing SSSD to automatically renew
the ticket on user behalf. See sssd-krb5 man page for details about the
renewable tickets. Once the original authentication is conducted there
is a period of the validity of the ticket but there is also a much
longer period (by default a week or so) when the ticket can be renewed
on behalf of the user. If the usual absence of users is less than say 10
days you can set a policy in IPA to allow renewable tickets for 10 days
from the original authentication. Then the cron jobs would be able to
run for at least 10 day until the tickets completely expire and can't be
renewed. Keep in mind that by allowing the ticket to be longer lived you
reduce the security of your environment as you increase the time the
potential attacker can use to crack the ticket. However this kind of
attack is unlikely but worth mentioning.

If the job can be run under different identity then you have several
options.
You can create an account for the cron jobs to run and assign a keytab
to it and provision it.
Then the cron job can use this account and keytab to acquire tickets.
One would have to periodically do kinit with this keytab as another cron
job or use k5start which is not supported in RHEL but available
upstream. Keep in mind that in future GSS proxy daemon would be able to
automatically renew the tickets for such accounts on as needed basis.
This functionality is planned for Fedora 19 and is waiting for MIT 1.11
to land in Fedora later this year or early next year.

HTH

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121113/30237579/attachment.htm>

More information about the Freeipa-users mailing list