[37343] in Kerberos
Problem with /tmp/krb5cc_%uid cache file name
daemon@ATHENA.MIT.EDU (Rainer Krienke)
Thu Dec 17 08:48:10 2015
To: kerberos@mit.edu
From: Rainer Krienke <krienke@uni-koblenz.de>
Message-ID: <5672BCFF.5070208@uni-koblenz.de>
Date: Thu, 17 Dec 2015 14:47:43 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7163811076131767857=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============7163811076131767857==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha-256; boundary="------------ms080603030008050909060604"
This is a cryptographically signed message in MIME format.
--------------ms080603030008050909060604
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hello,
a while ago I set up NFS4/Kerberos in our network. So all NFS mounts are
done via NFS4. We are using MIT kerberos 5. In krb5.conf I configured
the credential cache file as:
default_ccache_name =3D /tmp/krb5cc_%{uid}
Now basically this setup works. However I have one problem that is
related to the cron-Principal and the default_ccache_name value.
Each user in my setup has a principal username@KRBREALM, for nfs access
there is an additional nfs/<fqdn>@KRBREALM principal. Users wanting to
run cron jobs have a username/cron@KRBREALM principal and a local
keytabfile on the cron host to which the cron principal was exported.
Now when a user logs in on the cron host a /tmp/krb5cc_<%uid> file is
created with a default principal of username@KRBREALM. It contains the
krbtgt service principal as well as nfs/<fqdn> service principals.
Next a cron job of this user starts. For this purpose the user prepends
its real cron job with a call like
kinit -k -t /etc/cronkeytabs/usercron.keytab username/cron@KRBREALM
And since default_ccache_name is set to /tmp/krb5cc_%{uid} and the uid
of this user is always the same the file /tmp/krb5cc_<%uid> is
overwritten now containing the cron default principal. The user default
principal that was in there before is deleted. And since we see NFS
problems once a week on this host my guess is that this overwriting of
credential cache files might be the origin.
What I would like to have is either a way to *add* a cron service
principal to a possibly existing /tmp/krb5cc_%{uid} file with the
default user principal or to use a different default_ccache_name for
cron with something like:
=09
default_ccache_name =3D /tmp/krb5cc_{%service}
however there is no %service parameter expansion available.
Any idea how to solve this name-conflict?
Thanks for your help
Rainer
--=20
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
56070 Koblenz, Tel: +49261287 1312 Fax +49261287 100 1312
Web: http://userpages.uni-koblenz.de/~krienke
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html
--------------ms080603030008050909060604
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
D8AwggTVMIIDvaADAgECAghQTsb1PRG0ZDANBgkqhkiG9w0BAQsFADBxMQswCQYDVQQGEwJE
RTEcMBoGA1UEChMTRGV1dHNjaGUgVGVsZWtvbSBBRzEfMB0GA1UECxMWVC1UZWxlU2VjIFRy
dXN0IENlbnRlcjEjMCEGA1UEAxMaRGV1dHNjaGUgVGVsZWtvbSBSb290IENBIDIwHhcNMTQw
NzIyMTIwODI2WhcNMTkwNzA5MjM1OTAwWjBaMQswCQYDVQQGEwJERTETMBEGA1UEChMKREZO
LVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVpbiBQQ0EgR2xv
YmFsIC0gRzAxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6ZvDZ4X5Da71jVTD
llA1PWLpbkztlNcAW5UidNQg6zSP1uzAMQQLmYHiphTSUqAoI4SLdIkEXlvg4njBeMsWyyg1
OXstkEXQ7aAAeny/Sg4bAMOG6VwrMRF7DPOCJEOMHDiLamgAmu7cT3ir0sYTm3at7t4m6O8B
r3QPwQmi9mvOvdPNFDBP9eXjpMhim4IaAycwDQJlYE3t0QkjKpY1WCfTdsZxtpAdxO3/NYZ9
bzOz2w/FEcKKg6GUXUFr2NIQ9Uz9ylGs2b3vkoO72uuLFlZWQ8/h1RM9ph8nMM1JVNvJEzSa
cXXFbOqnC5j5IZ0nrz6jOTlIaoytyZn7wxLyvQIDAQABo4IBhjCCAYIwDgYDVR0PAQH/BAQD
AgEGMB0GA1UdDgQWBBRJt8bP6D0ff+pEexMp9/EKcD7eZDAfBgNVHSMEGDAWgBQxw3kbuvVT
1xfgiXotF2wKsyudMzASBgNVHRMBAf8ECDAGAQH/AgECMGIGA1UdIARbMFkwEQYPKwYBBAGB
rSGCLAEBBAICMBEGDysGAQQBga0hgiwBAQQDADARBg8rBgEEAYGtIYIsAQEEAwEwDwYNKwYB
BAGBrSGCLAEBBDANBgsrBgEEAYGtIYIsHjA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vcGtp
MDMzNi50ZWxlc2VjLmRlL3JsL0RUX1JPT1RfQ0FfMi5jcmwweAYIKwYBBQUHAQEEbDBqMCwG
CCsGAQUFBzABhiBodHRwOi8vb2NzcDAzMzYudGVsZXNlYy5kZS9vY3NwcjA6BggrBgEFBQcw
AoYuaHR0cDovL3BraTAzMzYudGVsZXNlYy5kZS9jcnQvRFRfUk9PVF9DQV8yLmNlcjANBgkq
hkiG9w0BAQsFAAOCAQEAYyAo/ZwhhnK+OUZZOTIlvKkBmw3Myn1BnIZtCm4ssxNZdbEzkhth
Jxb/w7LVNYL7hCoBSb1mu2YvssIGXW4/buMBWlvKQ2NclbbhMacf1QdfTeZlgk4y+cN8ekvN
TVx07iHydQLsUj7SyWrTkCNuSWc1vn9NVqTszC/Pt6GXqHI+ybxA1lqkCD3WvILDt7cyjrEs
jmpttzUCGc/1OURYY6ckABCwu/xOr24vOLulV0k/2G5QbyyXltwdRpplic+uzPLl2Z9Tsz6h
L5Kp2AvGhB8Exuse6J99tXulAvEkxSRjETTMWpMgKnmIOiVCkKllO3yG0xIVIyn8LNrMOVtU
FzCCBV4wggRGoAMCAQICBxeZn9pX17IwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCREUx
EzARBgNVBAoTCkRGTi1WZXJlaW4xEDAOBgNVBAsTB0RGTi1QS0kxJDAiBgNVBAMTG0RGTi1W
ZXJlaW4gUENBIEdsb2JhbCAtIEcwMTAeFw0xNDA1MTkxNTI0NThaFw0xOTA3MDkyMzU5MDBa
MIGCMQswCQYDVQQGEwJERTE5MDcGA1UEChMwUmVnaW9uYWxlcyBIb2Noc2NodWxyZWNoZW56
ZW50cnVtIEthaXNlcnNsYXV0ZXJuMRYwFAYDVQQDEw1SSFJLLUNBIC0gRzAyMSAwHgYJKoZI
hvcNAQkBFhFjYUByaHJrLnVuaS1rbC5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAK5AQx3SBrbZDsO1mHSdgYrDp4rh5SQj3qf9KVHk2/UBS2Wqa6HXnkZupBYsdlxpd4eI
pi7u3RsLbvKEUaRnGerZt4tlUqcNc8cZPblFdrDIkRyth1ZDd6lhcKv0QToDxGlTYXReYTM+
0GY2a3V7VzjOCxhvJAWag++UPlNJm7Q2oDi9TSMLSbmN2Kpy/+h76bW+Bd9EQ1VJ2JobFlV/
kQjWjLzta1PYBxzjSAhL/AAD9VykV+C+5Qe+8A6TWS+giJj6fsTx8m51OnvfEI02tyJzuNBP
LAinIV61n6SnrsFvIl0k8IxKe87oUt/aAz8B5jWMzyxBeDTtS0lCitTzRbMCAwEAAaOCAf4w
ggH6MBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMBEGA1UdIAQKMAgwBgYE
VR0gADAdBgNVHQ4EFgQUL90TmGNcC8NvuO2G4AMnwW+6tgIwHwYDVR0jBBgwFoAUSbfGz+g9
H3/qRHsTKffxCnA+3mQwHAYDVR0RBBUwE4ERY2FAcmhyay51bmkta2wuZGUwgYgGA1UdHwSB
gDB+MD2gO6A5hjdodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1Yi9j
cmwvY2FjcmwuY3JsMD2gO6A5hjdodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290
LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMIHXBggrBgEFBQcBAQSByjCBxzAzBggrBgEFBQcwAYYn
aHR0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQMEcGCCsGAQUFBzAChjto
dHRwOi8vY2RwMS5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1Yi9jYWNlcnQvY2FjZXJ0
LmNydDBHBggrBgEFBQcwAoY7aHR0cDovL2NkcDIucGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1j
YS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwDQYJKoZIhvcNAQELBQADggEBAN6x/u6FvA4+Sb0t
4oylgwcj8UKWYrKQkQ/7Udycf8K/9s+QejYqMyCO7gL3fa7mcARv1+LZm9rvu9hbMplyUtRP
on3zCXtfC7ElJhNsAutWvzhYp0MlXc9hiSRvk+fchGQEbxIfokb2mrF/KMdI/NCUdpg8I50i
stcwWM5Ox4N4HYAo6gH31rdCPwbIlfph3Tlhv7m5Y7fo+47AqgaG1IsXNcBF8Es80qvrDuV5
+zKrLaU9jvSZLglXMYXClRAwKurxKxKbyS2n8JHeY/pZFGqpz0FPJeOPfgpUV5UXEFEu38tw
tc6YtokdUcHlDKMm6r+/+x+kVN4PnC4hYLLHPH0wggWBMIIEaaADAgECAgcY1vuoGiSEMA0G
CSqGSIb3DQEBCwUAMIGCMQswCQYDVQQGEwJERTE5MDcGA1UEChMwUmVnaW9uYWxlcyBIb2No
c2NodWxyZWNoZW56ZW50cnVtIEthaXNlcnNsYXV0ZXJuMRYwFAYDVQQDEw1SSFJLLUNBIC0g
RzAyMSAwHgYJKoZIhvcNAQkBFhFjYUByaHJrLnVuaS1rbC5kZTAeFw0xNTAxMTUwODQ1MTNa
Fw0xODAxMTQwODQ1MTNaMEwxCzAJBgNVBAYTAkRFMSQwIgYDVQQKExtVbml2ZXJzaXRhZXQg
S29ibGVuei1MYW5kYXUxFzAVBgNVBAMTDlJhaW5lciBLcmllbmtlMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAt35O2M5Daa23GS3dauUTw4VNLOxuFjZO85b4Z90L7cOw3fVl
2/hglHg71po1udOO1f5qPl0rxlaMPG9r4fBGE2qqybZWocynhnZ88eur3xLRufVjj1uDiY89
vcHj2f0gvooXv8+nh2JWL3eyjWy2Ei6wbR8xE3y7EH8QO1q0lOPctrcoVrfrhlqX/Sgy14YA
0g15BBgJW5XJxeQ8tWt7NaL6Q8+7BiBLS29dFZqs5Jero76xaAvlwlkQPS1B5RmaEYcTBRk3
xEkJ7jkuHhG7B22GuoSJdUTPxjiWftn+bUyw8AnplaUYG8PwOlS7a39wYG1BcVfR1aUg6IKn
qwV0sQIDAQABo4ICLzCCAiswQAYDVR0gBDkwNzARBg8rBgEEAYGtIYIsAQEEAwMwEQYPKwYB
BAGBrSGCLAIBBAMBMA8GDSsGAQQBga0hgiwBAQQwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAw
HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBTBCt2Y6IADq0DfZKnG
nexl6CFfXzAfBgNVHSMEGDAWgBQv3ROYY1wLw2+47YbgAyfBb7q2AjAhBgNVHREEGjAYgRZr
cmllbmtlQHVuaS1rb2JsZW56LmRlMH0GA1UdHwR2MHQwOKA2oDSGMmh0dHA6Ly9jZHAxLnBj
YS5kZm4uZGUvcmhyay1jYS9wdWIvY3JsL2dfY2FjcmwuY3JsMDigNqA0hjJodHRwOi8vY2Rw
Mi5wY2EuZGZuLmRlL3JocmstY2EvcHViL2NybC9nX2NhY3JsLmNybDCBzQYIKwYBBQUHAQEE
gcAwgb0wMwYIKwYBBQUHMAGGJ2h0dHA6Ly9vY3NwLnBjYS5kZm4uZGUvT0NTUC1TZXJ2ZXIv
T0NTUDBCBggrBgEFBQcwAoY2aHR0cDovL2NkcDEucGNhLmRmbi5kZS9yaHJrLWNhL3B1Yi9j
YWNlcnQvZ19jYWNlcnQuY3J0MEIGCCsGAQUFBzAChjZodHRwOi8vY2RwMi5wY2EuZGZuLmRl
L3JocmstY2EvcHViL2NhY2VydC9nX2NhY2VydC5jcnQwDQYJKoZIhvcNAQELBQADggEBAEZR
kpVNjR1GVHHlqgjkbuhhNNaCeM5YQVs6JtdnQnwykFnTYeBDbC/xwRb512lMYsAVrQrkbY6L
oFz4dOpU04CjKUwbx6o6fmFQSY0IkVxvD4tN7kAoG+hpkZ/67EEAozRKVtKKEdj3lS0MSPB3
I2NTbtie7smhD/S15dLdQnakDbT5HylOnRQP32mSzyq5Q5Q0IcMELXqkQbtwa2g/78fvQ7x6
VvBrmAPZ5JuGoyxWemhaB0szYOQf3tMPX7SfP0GI7AttgdGt+PJJGC3BthO6Otq7lh4RgWWz
8LY80ZWjKepVSwfQFjMkep1DEXMqkawQylzfZ38aASdaiaAkouIxggPbMIID1wIBATCBjjCB
gjELMAkGA1UEBhMCREUxOTA3BgNVBAoTMFJlZ2lvbmFsZXMgSG9jaHNjaHVscmVjaGVuemVu
dHJ1bSBLYWlzZXJzbGF1dGVybjEWMBQGA1UEAxMNUkhSSy1DQSAtIEcwMjEgMB4GCSqGSIb3
DQEJARYRY2FAcmhyay51bmkta2wuZGUCBxjW+6gaJIQwDQYJYIZIAWUDBAIBBQCgggIdMBgG
CSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE1MTIxNzEzNDc0M1ow
LwYJKoZIhvcNAQkEMSIEILUjOaOpUqhpoUtMaw+lk/XV3jvchkwICLALYM6jVkS5MGwGCSqG
SIb3DQEJDzFfMF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggq
hkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgZ8G
CSsGAQQBgjcQBDGBkTCBjjCBgjELMAkGA1UEBhMCREUxOTA3BgNVBAoTMFJlZ2lvbmFsZXMg
SG9jaHNjaHVscmVjaGVuemVudHJ1bSBLYWlzZXJzbGF1dGVybjEWMBQGA1UEAxMNUkhSSy1D
QSAtIEcwMjEgMB4GCSqGSIb3DQEJARYRY2FAcmhyay51bmkta2wuZGUCBxjW+6gaJIQwgaEG
CyqGSIb3DQEJEAILMYGRoIGOMIGCMQswCQYDVQQGEwJERTE5MDcGA1UEChMwUmVnaW9uYWxl
cyBIb2Noc2NodWxyZWNoZW56ZW50cnVtIEthaXNlcnNsYXV0ZXJuMRYwFAYDVQQDEw1SSFJL
LUNBIC0gRzAyMSAwHgYJKoZIhvcNAQkBFhFjYUByaHJrLnVuaS1rbC5kZQIHGNb7qBokhDAN
BgkqhkiG9w0BAQEFAASCAQB7w/kTlRjduF7r49kU6TFBlZFuDXo0NDY++/i1uRaDRTab1FgP
PylG/iaG8Fz7TMSZpEPi2KFfFAZV26HHLKMRpDm83o9haEPfJRCPnl8j7xX8uyR3FMjYIZJX
cAPPNJAAHAofF0ykZwaYCb5bZc/rIQSgylwZGBgYk3iKUE+bc4iArlyv9NcIG89Uv2PxqgTt
Pqqy3M7lsT8Tc7C04P9BtTsfQ20inx2gBzGT7i7XpB2Z0zz3LJgaJ0Grl3CvE3O2Bp/WVWHg
exkMRYECPJbwmy+uAEkWKLRO3Y+c/YNWb8slzFdpm3aJOpic41EyQtWLNiIgqHzpe2BP1i/F
8z/MAAAAAAAA
--------------ms080603030008050909060604--
--===============7163811076131767857==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============7163811076131767857==--
