[metmac]

Now do this in containers with gMSAs. It eliminates the need of passing around Admin creds. Which I cannot stress enough. You shouldn’t be throwing your DA credentials into your random Linux machine’s Kerberos cache.

Amazon open sourced a project trying to solve similar problems.

https://github.com/aws/credentials-fetcher

Nifty, but was clearly made with AWS assumptions and we had to roll our own with the various hooks we needed for our cloud infra.

[jborean93]

The problem I have with using a gMSA outside of Windows is you need a Kerberos principal and credential for that principal in the first place to allow retrieving the gMSA details. Why not just use that principal and avoid adding this next step.

It would be great if Linux had a mechanism where the host itself could act as the principal to retrieve the gMSA like on Windows but the GSSAPI worker model just works differently there and runs in process. A similar problem exists for using Kerberos FAST/armouring where Windows uses the hosts' ticket to wrap the client request but on Linux there is no privileged worker process that protects this ticket so the client needs to have full access to it.

The closest thing I've seen is gssproxy [1] which tries to solve the problem where you want to protect host secrets from a client actually seeing the secrets but can still use them but I've not seen anything from there to support gMSAs for armouring for client TGT requests.

[1] https://github.com/gssapi/gssproxy