freeipa/install/share/gssproxy.conf.template
Stanislav Levin 271fd162a7 ccache_sweeper: Add gssproxy service
The usage of the existing gssproxy service(`service/ipa-api`) leads
to undesirable for this case side effects such as auto renew of
expired credentials.

Fixes: https://pagure.io/freeipa/issue/8735
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-03-04 14:17:01 +02:00

26 lines
665 B
Plaintext

#Installed and maintained by ipa update tools, please do not modify
[service/ipa-httpd]
mechs = krb5
cred_store = keytab:$HTTP_KEYTAB
cred_store = client_keytab:$HTTP_KEYTAB
allow_protocol_transition = true
allow_client_ccache_sync = true
cred_usage = both
euid = $HTTPD_USER
[service/ipa-api]
mechs = krb5
cred_store = keytab:$HTTP_KEYTAB
cred_store = client_keytab:$HTTP_KEYTAB
allow_constrained_delegation = true
allow_client_ccache_sync = true
cred_usage = initiate
euid = $IPAAPI_USER
[service/ipa-sweeper]
mechs = krb5
cred_store = keytab:$HTTP_KEYTAB
socket = $SWEEPER_SOCKET
euid = $IPAAPI_USER
cred_usage = initiate