[36952] in Kerberos
username/cron principals and cron
daemon@ATHENA.MIT.EDU (Rainer Krienke)
Tue May 5 07:25:24 2015
Message-ID: <5548A881.30907@uni-koblenz.de>
Date: Tue, 05 May 2015 13:24:49 +0200
From: Rainer Krienke <krienke@uni-koblenz.de>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============0396335552=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============0396335552==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms000909000104000205060709"
This is a cryptographically signed message in MIME format.
--------------ms000909000104000205060709
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hello,
I am setting up a kerberos/NFS4 environment. Basically everything seems
to work. Every user has of course a princiapl username@MYREALM, where
username is the unix user name. The users homes are on a kerberos/NFS4
mounted directory.
Now for running cron jobs I have to export a principal to a keytab and
thus I do not want to use the user principal username@MYREALM
(exporting would also change its key) but a special
username/cron@MYREALM principal .
In order to run a cron job I would like to use kinit to get a ticket and
then start the real work like this:
kinit -k -t /etc/keytabs/cron/usernameCron.keytab username/cron@MYREALM;
touch /home/username/xyz
Because the users have their home on a NFS4 mounted directory I have to
take care that the local user for the cron-principal
username/cron@MYREAL is mapped to "username", the unix user for the
principal.
To achieve this I created a auth_to_local rule in /etc/krb5.conf on the
NFS client and on the kerberos server as well:
auth_to_local =3D RULE:[2:$1;$2](^.*;cron$)s/;cron//
This should remove the "cron" part for the local user from the
principal. Actually I do not see any effect anywhere in the logs but
perhaps this is normal, I don't know.
After all this way things do not work and I do not know what's wrong.
When running a cron-job that eg tries to create a file on the users NFS4
home directory I simply get a "permission denied" error. When I use the
original user principal for this purpose it works. So the mapping does
not to seem to work as expected.
Does anyone know what might be wrong?
Thanks for any help
Rainer Krienke
--=20
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1=
312
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
1001312
--------------ms000909000104000205060709
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPwDCC
BNUwggO9oAMCAQICCFBOxvU9EbRkMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAkRFMRww
GgYDVQQKExNEZXV0c2NoZSBUZWxla29tIEFHMR8wHQYDVQQLExZULVRlbGVTZWMgVHJ1c3Qg
Q2VudGVyMSMwIQYDVQQDExpEZXV0c2NoZSBUZWxla29tIFJvb3QgQ0EgMjAeFw0xNDA3MjIx
MjA4MjZaFw0xOTA3MDkyMzU5MDBaMFoxCzAJBgNVBAYTAkRFMRMwEQYDVQQKEwpERk4tVmVy
ZWluMRAwDgYDVQQLEwdERk4tUEtJMSQwIgYDVQQDExtERk4tVmVyZWluIFBDQSBHbG9iYWwg
LSBHMDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpm8NnhfkNrvWNVMOWUDU9
YuluTO2U1wBblSJ01CDrNI/W7MAxBAuZgeKmFNJSoCgjhIt0iQReW+DieMF4yxbLKDU5ey2Q
RdDtoAB6fL9KDhsAw4bpXCsxEXsM84IkQ4wcOItqaACa7txPeKvSxhObdq3u3ibo7wGvdA/B
CaL2a869080UME/15eOkyGKbghoDJzANAmVgTe3RCSMqljVYJ9N2xnG2kB3E7f81hn1vM7Pb
D8URwoqDoZRdQWvY0hD1TP3KUazZve+Sg7va64sWVlZDz+HVEz2mHycwzUlU28kTNJpxdcVs
6qcLmPkhnSevPqM5OUhqjK3JmfvDEvK9AgMBAAGjggGGMIIBgjAOBgNVHQ8BAf8EBAMCAQYw
HQYDVR0OBBYEFEm3xs/oPR9/6kR7Eyn38QpwPt5kMB8GA1UdIwQYMBaAFDHDeRu69VPXF+CJ
ei0XbAqzK50zMBIGA1UdEwEB/wQIMAYBAf8CAQIwYgYDVR0gBFswWTARBg8rBgEEAYGtIYIs
AQEEAgIwEQYPKwYBBAGBrSGCLAEBBAMAMBEGDysGAQQBga0hgiwBAQQDATAPBg0rBgEEAYGt
IYIsAQEEMA0GCysGAQQBga0hgiweMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9wa2kwMzM2
LnRlbGVzZWMuZGUvcmwvRFRfUk9PVF9DQV8yLmNybDB4BggrBgEFBQcBAQRsMGowLAYIKwYB
BQUHMAGGIGh0dHA6Ly9vY3NwMDMzNi50ZWxlc2VjLmRlL29jc3ByMDoGCCsGAQUFBzAChi5o
dHRwOi8vcGtpMDMzNi50ZWxlc2VjLmRlL2NydC9EVF9ST09UX0NBXzIuY2VyMA0GCSqGSIb3
DQEBCwUAA4IBAQBjICj9nCGGcr45Rlk5MiW8qQGbDczKfUGchm0KbiyzE1l1sTOSG2EnFv/D
stU1gvuEKgFJvWa7Zi+ywgZdbj9u4wFaW8pDY1yVtuExpx/VB19N5mWCTjL5w3x6S81NXHTu
IfJ1AuxSPtLJatOQI25JZzW+f01WpOzML8+3oZeocj7JvEDWWqQIPda8gsO3tzKOsSyOam23
NQIZz/U5RFhjpyQAELC7/E6vbi84u6VXST/YblBvLJeW3B1GmmWJz67M8uXZn1OzPqEvkqnY
C8aEHwTG6x7on321e6UC8STFJGMRNMxakyAqeYg6JUKQqWU7fIbTEhUjKfws2sw5W1QXMIIF
XjCCBEagAwIBAgIHF5mf2lfXsjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJERTETMBEG
A1UEChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVp
biBQQ0EgR2xvYmFsIC0gRzAxMB4XDTE0MDUxOTE1MjQ1OFoXDTE5MDcwOTIzNTkwMFowgYIx
CzAJBgNVBAYTAkRFMTkwNwYDVQQKEzBSZWdpb25hbGVzIEhvY2hzY2h1bHJlY2hlbnplbnRy
dW0gS2Fpc2Vyc2xhdXRlcm4xFjAUBgNVBAMTDVJIUkstQ0EgLSBHMDIxIDAeBgkqhkiG9w0B
CQEWEWNhQHJocmsudW5pLWtsLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
rkBDHdIGttkOw7WYdJ2BisOniuHlJCPep/0pUeTb9QFLZaprodeeRm6kFix2XGl3h4imLu7d
Gwtu8oRRpGcZ6tm3i2VSpw1zxxk9uUV2sMiRHK2HVkN3qWFwq/RBOgPEaVNhdF5hMz7QZjZr
dXtXOM4LGG8kBZqD75Q+U0mbtDagOL1NIwtJuY3YqnL/6Hvptb4F30RDVUnYmhsWVX+RCNaM
vO1rU9gHHONICEv8AAP1XKRX4L7lB77wDpNZL6CImPp+xPHybnU6e98QjTa3InO40E8sCKch
XrWfpKeuwW8iXSTwjEp7zuhS39oDPwHmNYzPLEF4NO1LSUKK1PNFswIDAQABo4IB/jCCAfow
EgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAA
MB0GA1UdDgQWBBQv3ROYY1wLw2+47YbgAyfBb7q2AjAfBgNVHSMEGDAWgBRJt8bP6D0ff+pE
exMp9/EKcD7eZDAcBgNVHREEFTATgRFjYUByaHJrLnVuaS1rbC5kZTCBiAYDVR0fBIGAMH4w
PaA7oDmGN2h0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NybC9j
YWNybC5jcmwwPaA7oDmGN2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2Ev
cHViL2NybC9jYWNybC5jcmwwgdcGCCsGAQUFBwEBBIHKMIHHMDMGCCsGAQUFBzABhidodHRw
Oi8vb2NzcC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1AwRwYIKwYBBQUHMAKGO2h0dHA6
Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0
MEcGCCsGAQUFBzAChjtodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1
Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEA3rH+7oW8Dj5JvS3ijKWD
ByPxQpZispCRD/tR3Jx/wr/2z5B6NiozII7uAvd9ruZwBG/X4tmb2u+72FsymXJS1E+iffMJ
e18LsSUmE2wC61a/OFinQyVdz2GJJG+T59yEZARvEh+iRvaasX8ox0j80JR2mDwjnSKy1zBY
zk7Hg3gdgCjqAffWt0I/BsiV+mHdOWG/ubljt+j7jsCqBobUixc1wEXwSzzSq+sO5Xn7Mqst
pT2O9JkuCVcxhcKVEDAq6vErEpvJLafwkd5j+lkUaqnPQU8l449+ClRXlRcQUS7fy3C1zpi2
iR1RweUMoybqv7/7H6RU3g+cLiFgssc8fTCCBYEwggRpoAMCAQICBxjW+6gaJIQwDQYJKoZI
hvcNAQELBQAwgYIxCzAJBgNVBAYTAkRFMTkwNwYDVQQKEzBSZWdpb25hbGVzIEhvY2hzY2h1
bHJlY2hlbnplbnRydW0gS2Fpc2Vyc2xhdXRlcm4xFjAUBgNVBAMTDVJIUkstQ0EgLSBHMDIx
IDAeBgkqhkiG9w0BCQEWEWNhQHJocmsudW5pLWtsLmRlMB4XDTE1MDExNTA4NDUxM1oXDTE4
MDExNDA4NDUxM1owTDELMAkGA1UEBhMCREUxJDAiBgNVBAoTG1VuaXZlcnNpdGFldCBLb2Js
ZW56LUxhbmRhdTEXMBUGA1UEAxMOUmFpbmVyIEtyaWVua2UwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC3fk7YzkNprbcZLd1q5RPDhU0s7G4WNk7zlvhn3Qvtw7Dd9WXb+GCU
eDvWmjW5047V/mo+XSvGVow8b2vh8EYTaqrJtlahzKeGdnzx66vfEtG59WOPW4OJjz29wePZ
/SC+ihe/z6eHYlYvd7KNbLYSLrBtHzETfLsQfxA7WrSU49y2tyhWt+uGWpf9KDLXhgDSDXkE
GAlblcnF5Dy1a3s1ovpDz7sGIEtLb10Vmqzkl6ujvrFoC+XCWRA9LUHlGZoRhxMFGTfESQnu
OS4eEbsHbYa6hIl1RM/GOJZ+2f5tTLDwCemVpRgbw/A6VLtrf3BgbUFxV9HVpSDogqerBXSx
AgMBAAGjggIvMIICKzBABgNVHSAEOTA3MBEGDysGAQQBga0hgiwBAQQDAzARBg8rBgEEAYGt
IYIsAgEEAwEwDwYNKwYBBAGBrSGCLAEBBDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNV
HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFMEK3ZjogAOrQN9kqcad7GXo
IV9fMB8GA1UdIwQYMBaAFC/dE5hjXAvDb7jthuADJ8FvurYCMCEGA1UdEQQaMBiBFmtyaWVu
a2VAdW5pLWtvYmxlbnouZGUwfQYDVR0fBHYwdDA4oDagNIYyaHR0cDovL2NkcDEucGNhLmRm
bi5kZS9yaHJrLWNhL3B1Yi9jcmwvZ19jYWNybC5jcmwwOKA2oDSGMmh0dHA6Ly9jZHAyLnBj
YS5kZm4uZGUvcmhyay1jYS9wdWIvY3JsL2dfY2FjcmwuY3JsMIHNBggrBgEFBQcBAQSBwDCB
vTAzBggrBgEFBQcwAYYnaHR0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQ
MEIGCCsGAQUFBzAChjZodHRwOi8vY2RwMS5wY2EuZGZuLmRlL3JocmstY2EvcHViL2NhY2Vy
dC9nX2NhY2VydC5jcnQwQgYIKwYBBQUHMAKGNmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvcmhy
ay1jYS9wdWIvY2FjZXJ0L2dfY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEARlGSlU2N
HUZUceWqCORu6GE01oJ4zlhBWzom12dCfDKQWdNh4ENsL/HBFvnXaUxiwBWtCuRtjougXPh0
6lTTgKMpTBvHqjp+YVBJjQiRXG8Pi03uQCgb6GmRn/rsQQCjNEpW0ooR2PeVLQxI8HcjY1Nu
2J7uyaEP9LXl0t1CdqQNtPkfKU6dFA/faZLPKrlDlDQhwwQteqRBu3BraD/vx+9DvHpW8GuY
A9nkm4ajLFZ6aFoHSzNg5B/e0w9ftJ8/QYjsC22B0a348kkYLcG2E7o62ruWHhGBZbPwtjzR
laMp6lVLB9AWMyR6nUMRcyqRrBDKXN9nfxoBJ1qJoCSi4jGCA8swggPHAgEBMIGOMIGCMQsw
CQYDVQQGEwJERTE5MDcGA1UEChMwUmVnaW9uYWxlcyBIb2Noc2NodWxyZWNoZW56ZW50cnVt
IEthaXNlcnNsYXV0ZXJuMRYwFAYDVQQDEw1SSFJLLUNBIC0gRzAyMSAwHgYJKoZIhvcNAQkB
FhFjYUByaHJrLnVuaS1rbC5kZQIHGNb7qBokhDAJBgUrDgMCGgUAoIICETAYBgkqhkiG9w0B
CQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNTA1MDUxMTI0NDlaMCMGCSqGSIb3
DQEJBDEWBBTdq1PRsld8AgUdPs10xWrfmxo+FzBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl
AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3
DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGfBgkrBgEEAYI3EAQxgZEwgY4wgYIx
CzAJBgNVBAYTAkRFMTkwNwYDVQQKEzBSZWdpb25hbGVzIEhvY2hzY2h1bHJlY2hlbnplbnRy
dW0gS2Fpc2Vyc2xhdXRlcm4xFjAUBgNVBAMTDVJIUkstQ0EgLSBHMDIxIDAeBgkqhkiG9w0B
CQEWEWNhQHJocmsudW5pLWtsLmRlAgcY1vuoGiSEMIGhBgsqhkiG9w0BCRACCzGBkaCBjjCB
gjELMAkGA1UEBhMCREUxOTA3BgNVBAoTMFJlZ2lvbmFsZXMgSG9jaHNjaHVscmVjaGVuemVu
dHJ1bSBLYWlzZXJzbGF1dGVybjEWMBQGA1UEAxMNUkhSSy1DQSAtIEcwMjEgMB4GCSqGSIb3
DQEJARYRY2FAcmhyay51bmkta2wuZGUCBxjW+6gaJIQwDQYJKoZIhvcNAQEBBQAEggEAGoVh
Rr0YaWFuQSz0mDQK+RJYjYXS5cmaKCnyeM/B4N9lwqjiu4ZmRJPMwP/NRD/Mpj0CbaeLHrv7
jV0642uWeC+E9ajghGLdS3ODT4mACxw4DmxD8HXjcMKjYKHMC1G9YD6C8ZsY5XRhmwzz4MfO
z8ZpsYKaEcyBAE1eTK+iyNtRZXD2FdGaOLH1H0zc4rUDmeb4H0KZkvA2ZIc2nBZXpkS85j9e
GM+BLhAeIPm89Ze/bgwQEVeWWni5qHjD/v23Dsm1W39A9PUv0D0ZI0yeeV02Wq7oWG5Lc38J
OOmltcIdzFvhK0lp2ltEcoVgRAfNAN5N+o4sNM15RjUxTbC1XAAAAAAAAA==
--------------ms000909000104000205060709--
--===============0396335552==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0396335552==--
