[37344] in Kerberos
Re: Problem with /tmp/krb5cc_%uid cache file name
daemon@ATHENA.MIT.EDU (Ben Gooley)
Thu Dec 17 11:05:24 2015
MIME-Version: 1.0
In-Reply-To: <5672BCFF.5070208@uni-koblenz.de>
Date: Thu, 17 Dec 2015 08:05:05 -0800
Message-ID: <CAP9ATsL2brSVHkP3Rx9cpEq-mERtzH=vaWZVNYimhN5payQNRw@mail.gmail.com>
From: Ben Gooley <bgooley@cloudera.com>
To: Rainer Krienke <krienke@uni-koblenz.de>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Rainer,
We have a KB article that will likely help:
Scripting Against a Kerberos Enabled Cluster
<https://na29.salesforce.com/articles/KB_Article/Scripting-Against-a-Kerberos-Enabled-Cluster?popup=true&id=kA080000000PLhN>
On Thu, Dec 17, 2015 at 5:47 AM, Rainer Krienke <krienke@uni-koblenz.de>
wrote:
> Hello,
>
> a while ago I set up NFS4/Kerberos in our network. So all NFS mounts are
> done via NFS4. We are using MIT kerberos 5. In krb5.conf I configured
> the credential cache file as:
>
> default_ccache_name = /tmp/krb5cc_%{uid}
>
> Now basically this setup works. However I have one problem that is
> related to the cron-Principal and the default_ccache_name value.
>
> Each user in my setup has a principal username@KRBREALM, for nfs access
> there is an additional nfs/<fqdn>@KRBREALM principal. Users wanting to
> run cron jobs have a username/cron@KRBREALM principal and a local
> keytabfile on the cron host to which the cron principal was exported.
>
> Now when a user logs in on the cron host a /tmp/krb5cc_<%uid> file is
> created with a default principal of username@KRBREALM. It contains the
> krbtgt service principal as well as nfs/<fqdn> service principals.
>
> Next a cron job of this user starts. For this purpose the user prepends
> its real cron job with a call like
>
> kinit -k -t /etc/cronkeytabs/usercron.keytab username/cron@KRBREALM
>
> And since default_ccache_name is set to /tmp/krb5cc_%{uid} and the uid
> of this user is always the same the file /tmp/krb5cc_<%uid> is
> overwritten now containing the cron default principal. The user default
> principal that was in there before is deleted. And since we see NFS
> problems once a week on this host my guess is that this overwriting of
> credential cache files might be the origin.
>
> What I would like to have is either a way to *add* a cron service
> principal to a possibly existing /tmp/krb5cc_%{uid} file with the
> default user principal or to use a different default_ccache_name for
> cron with something like:
>
> default_ccache_name = /tmp/krb5cc_{%service}
>
> however there is no %service parameter expansion available.
>
> Any idea how to solve this name-conflict?
>
> Thanks for your help
> Rainer
> --
> Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
> 56070 Koblenz, Tel: +49261287 1312 Fax +49261287 100 1312
> Web: http://userpages.uni-koblenz.de/~krienke
> PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
--
Ben Gooley
*Customer Operations Engineer*
* <http://www.cloudera.com>*
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
