[36953] in Kerberos
Re: username/cron principals and cron
daemon@ATHENA.MIT.EDU (Frank Cusack)
Tue May 5 13:01:46 2015
MIME-Version: 1.0
In-Reply-To: <5548A881.30907@uni-koblenz.de>
Date: Tue, 5 May 2015 07:43:48 -0700
Message-ID: <CAAyYNQgAup0gt_jQeDhNvk3kGjvXE5Za-oTnxxAJCNO7SOyRtA@mail.gmail.com>
From: Frank Cusack <frank@linetwo.net>
To: Rainer Krienke <krienke@uni-koblenz.de>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I'm surprised you need a mapping at all. The default mapping should simply
strip any instance component. What happens if you kinit "manually" with
username/cron using a password?
On Tue, May 5, 2015 at 4:24 AM, Rainer Krienke <krienke@uni-koblenz.de>
wrote:
> Hello,
>
> I am setting up a kerberos/NFS4 environment. Basically everything seems
> to work. Every user has of course a princiapl username@MYREALM, where
> username is the unix user name. The users homes are on a kerberos/NFS4
> mounted directory.
>
> Now for running cron jobs I have to export a principal to a keytab and
> thus I do not want to use the user principal username@MYREALM
> (exporting would also change its key) but a special
> username/cron@MYREALM principal .
> In order to run a cron job I would like to use kinit to get a ticket and
> then start the real work like this:
>
> kinit -k -t /etc/keytabs/cron/usernameCron.keytab username/cron@MYREALM;
> touch /home/username/xyz
>
> Because the users have their home on a NFS4 mounted directory I have to
> take care that the local user for the cron-principal
> username/cron@MYREAL is mapped to "username", the unix user for the
> principal.
>
> To achieve this I created a auth_to_local rule in /etc/krb5.conf on the
> NFS client and on the kerberos server as well:
>
> auth_to_local = RULE:[2:$1;$2](^.*;cron$)s/;cron//
>
> This should remove the "cron" part for the local user from the
> principal. Actually I do not see any effect anywhere in the logs but
> perhaps this is normal, I don't know.
>
> After all this way things do not work and I do not know what's wrong.
> When running a cron-job that eg tries to create a file on the users NFS4
> home directory I simply get a "permission denied" error. When I use the
> original user principal for this purpose it works. So the mapping does
> not to seem to work as expected.
>
> Does anyone know what might be wrong?
>
> Thanks for any help
> Rainer Krienke
> --
> Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
> 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287
> 1312
> PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
> 1001312
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
