mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
271fd162a7
The usage of the existing gssproxy service(`service/ipa-api`) leads to undesirable for this case side effects such as auto renew of expired credentials. Fixes: https://pagure.io/freeipa/issue/8735 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
26 lines
665 B
Plaintext
26 lines
665 B
Plaintext
#Installed and maintained by ipa update tools, please do not modify
|
|
[service/ipa-httpd]
|
|
mechs = krb5
|
|
cred_store = keytab:$HTTP_KEYTAB
|
|
cred_store = client_keytab:$HTTP_KEYTAB
|
|
allow_protocol_transition = true
|
|
allow_client_ccache_sync = true
|
|
cred_usage = both
|
|
euid = $HTTPD_USER
|
|
|
|
[service/ipa-api]
|
|
mechs = krb5
|
|
cred_store = keytab:$HTTP_KEYTAB
|
|
cred_store = client_keytab:$HTTP_KEYTAB
|
|
allow_constrained_delegation = true
|
|
allow_client_ccache_sync = true
|
|
cred_usage = initiate
|
|
euid = $IPAAPI_USER
|
|
|
|
[service/ipa-sweeper]
|
|
mechs = krb5
|
|
cred_store = keytab:$HTTP_KEYTAB
|
|
socket = $SWEEPER_SOCKET
|
|
euid = $IPAAPI_USER
|
|
cred_usage = initiate
|