How to renew kerbors ticket of other user as an admin or root?
I have some lsf job running which accesses Kerberos protected mount.
As an admin I want to renew Kerberos tickets for this users
It is not possible. You have to execute kinit command as the user you want to authenticate. It will create a ticket cache for that particular user only.
Purpose of your requirement is not clear. If you want to kinit periodically, you can use "crontab".
I am presently running a shell script which login to each user form root using "su - username".
I want to change max life time date of Kerberos ticket for each user when ever script is run.
I want max lifetime of kerberos ticket should be 7 days later whenever script is run.
Means if script is run on 1 Dec at 10:30 am then max lifetime should be 8 Dec 10:30 am.
Related
My Rundeck detail Rundeck version: 4.10.0
install type: DEB
OS Name/version: Debian 11
DB Type/version: h2
A LDAP user without a Role membership can properly login but can not see any Projects - so far fine.
How can i block such a user to Login at all?
We have one "userBaseDn" Group (userBaseDn="cn=Users,ou=PROD,dc=company,dc=com") in which all users are stored. But of course, only users in following roleBaseDn (roleBaseDn="cn=Rundeck_Admins,cn=Applications,ou=PROD,dc=company,dc=com") Group should have access to Rundeck Web UI.
I expect, only users in Group "Rundeck_Admins" can Login to Rundeck at all
Currently, you can only restrict that using an ACL policy (the user can log in but cannot view/edit/run any project/job, as you say), please take a look at this.
Alternatively, you can create a specific branch in your LDAP server only for Rundeck users.
Currently, means there will be a change on this behavior?
As far a i understand LDAP right, for a specific LADP branch in which a place users, i have to manage users twice. 1st, in user directory and 2nd in the specific Rundeck Group. For me quite unhandy...
So my goal is to create a Rundeck job that runs on a schedule and isn't run as my personal user, or any "regular" user, but rather a bot user. Ideally this bot user wouldn't have login access and restricted permissions for security reasons, but would be able to run certain jobs. I've tried searching, but the only information I'm finding is about how to create a "regular" user in Rundeck. Even if I go down that route of creating the bot user as a "regular" user, to use it, you need to pass in either the login credentials or an API token. An API token would be fine, if it could be generated and pulled in on the fly. However, that is not the case, the API has an expiration itself. If there is something I'm missing, please let me know. I'd love to get this working.
Rundeck Version: Rundeck 3.2.1-20200113
Rundeck Cli Version: 1.1.7
You can set the following configuration in your rundeck-config.properties file (usually at /etc/rundeck/ directory):
rundeck.api.tokens.duration.max=0
This will disable your maximum period, you can see this in the official documentation here.
With that, your "bot user" can do it through API / RD CLI as you wrote.
Try using webhooks https://docs.rundeck.com/docs/manual/12-webhooks.html
You can trigger a job by making a http-request
The way I've implemented bots is as a user who is a member of a 'bot' user group, with ACLs that lock down that group as required. Any passwords required for the scheduled job are loaded into the key storage of the bot user.
With this approach you still need someone who knows the bot credentials to login as them and set passwords/SSH keys, but that's a one-off. Is that what you're trying to avoid?
The one annoying thing I've found is that a scheduled job always seems to run as the last user to edit the job - so I grant edit access to bot users and make sure to set/reset the schedule after any edit by a normal user. Hoping to address this through https://github.com/rundeck/rundeck/issues/1603, you might want to give it a 👍.
Is there a way to force all scheduled job runs to be performed by a certain user, instead of the user which enabled the scheduling?
What I meant is the rundeck user, not the node user, like those defined in the realm.properties file.
Let's say I have 2 users defined: user1 and user2.
user1 logs into rundeck and starts a job. In the recent executions list the job will appear as performed "by user1".
user1 now edits the job and enables the "Schedule to run repeatedly" option.
When the job starts on the schedule it will also be reported as ran "by user1".
What I need is a way to tell rundeck that all jobs which have "Schedule to run repeatedly" enabled should be run by another user (such as user2) instead of the user that edited them and enabled the scheduling (user1).
Why do I want this? Two reasons:
1. Cleanliness: I want all automated jobs to be listed as ran by a "rundeck service" user.
2. Issues with LDAP and ACLs: our rundeck users are imported from LDAP and rundeck ACLs are set for LDAP groups. When a job is run on schedule rundeck will not call the LDAP server to retrieve the group list, the user will then be treated as having no group and consequently no ACL and the job will fail because of lack of permissions.
Yes, you can specify a different account via the username attribute for that Node definition.
I have a power shell script which runs on when the user is logged on and logged off.
The script have confidential information such as admin user id and password.
So i want this script to be only executable with no read/write permission.
Is there any way to achieve this.?
Thanks,
Why embed admin credentials in the script? You can set it up as an event-triggered scheduled task (based on the logon and logoff events), and register it to run under the admin creds. The password will be stored with the task registration and not visible to the user.
You can just convert it to binary, check out this thread: https://social.technet.microsoft.com/Forums/windowsserver/en-US/4b53e1f1-2706-4be1-9355-65d259a45834/convert-powershell-script-to-exe-file?forum=winserverpowershell
Team,
I am trying to implement SSO for a WAS7 based web application using Kerberos & SPNEGO. I am almost done with the configuration. I have few doubts on Kerberos.
When I execute the command klist, following is the output.
Ticket cache: FILE:/tmp/krb5cc_38698
Default principal: pocsso1#POC.MAIL.COM
Valid starting Expires Service principal
01/09/2014 16:15 02/09/2014 02:21 krbtgt/POC.MAIL.COM#POC.MAIL.COM
renew until 08/09/2014 16:15
My Question is "what expires and renew indicates here.?"
and "if it expires what is the process of renewing it.?"
Please put a comment if much information is required.