[38418] in Kerberos
Re: Running KDC as non-root and dockerize KDC
daemon@ATHENA.MIT.EDU (Yegui Cai)
Mon Jan 7 12:31:24 2019
MIME-Version: 1.0
In-Reply-To: <jlg5zv4wgb6.fsf@redhat.com>
From: Yegui Cai <caiyegui@gmail.com>
Date: Mon, 7 Jan 2019 12:31:03 -0500
Message-ID: <CAJYMFR5ZBsEtd1YrjWMxWs8ef8=VDCW1JH3VH+bXHt_kLgBM8A@mail.gmail.com>
To: Robbie Harwood <rharwood@redhat.com>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Robbie.
I ran into the case where the privileged ports are not allowed to be
bindded. Do you know how I can work around this?
Thanks,
YC
On Fri, Jan 4, 2019 at 11:14 AM Robbie Harwood <rharwood@redhat.com> wrote:
> Yegui Cai <caiyegui@gmail.com> writes:
>
> > Hi all.
> >
> > This can be two threads but I have the following two questions at the
> > same time.
> >
> > 1. Can we run KDC as a non-root user? Meaning is it required to run KDC
> as
> > root?
>
> The KDC and kadmin want several low-number ports, including 88, 749, and
> possibly 754. They also need permissions set up correctly in order to
> access the datastore. Modifying these permissions requires some care to
> avoid circumventing any additional protections your system may already
> have (e.g., Selinux). I'm not aware of other potential issues.
>
> > 2. Is there any official docker images for KDC? or any plan to have
> > one?
>
> The FreeIPA project has container images for the server:
> https://www.freeipa.org/page/Docker (note that this includes more than
> just a KDC, though).
>
> I'm not aware of anyone else distributing images, but there's nothing
> that stops you from setting it up in a container.
>
> Thanks,
> --Robbie
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
