Maybe the keyring is part of the answer :
http://man7.org/linux/man-pages/man7/session-keyring.7.html
You may find many pointers here https://gitlab.com/BrunoVernay/systemd-playground/tree/master/12-keyring (some may be outdated)
It is a way to make credential available to a service.
On Thu, Dec 5, 2019 at 12:54 PM Mantas Mikulėnas <grawity@xxxxxxxxx> wrote:
_______________________________________________On Thu, Dec 5, 2019 at 9:27 AM Kenneth Porter <shiva@xxxxxxxxxxxxxxx> wrote:What's the best practice for defining a service that might require network
credentials to run? Are there example unit files that do this? How does one
set up the dependencies to access an LDAP or Active Directory server, for
example?It varies a bit, as Linux doesn't really have a unified concept of "network credentials" for services.If the server accepts Kerberos authentication (e.g. MS AD), then you can:a) set up a separate service that runs 'k5start', obtaining Kerberos tickets based on /etc/krb5.keytab, allowing you to use Requires/After=k5start@foo.service and Environment="KRB5CCNAME=FILE:/tmp/krb5cc_foo";or b) with MIT Krb5, let the library do this automatically by specifying a 'client keytab' via Environment="KRB5_CLIENT_KTNAME=/etc/ldap/krb5.keytab";or c) set up gss-proxy in client mode, then use Environment="GSS_USE_PROXY=1".Maybe Samba or SSSD already have something to make this more seamless, too.Note: While there are many ways to use an AD account to access a remote server, you *cannot* run the service process itself under an AD/LDAP account, i.e. you cannot specify non-local accounts in User=. But that's fine, because on Linux it wouldn't give you any network credentials anyway.--Mantas Mikulėnas
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Bruno VERNAY
_______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
