[37347] in Kerberos
Re: Problem with /tmp/krb5cc_%uid cache file name
daemon@ATHENA.MIT.EDU (Simo Sorce)
Thu Dec 17 12:19:13 2015
Message-ID: <1450372736.17418.233.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Rainer Krienke <krienke@uni-koblenz.de>
Date: Thu, 17 Dec 2015 12:18:56 -0500
In-Reply-To: <5672BCFF.5070208@uni-koblenz.de>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, 2015-12-17 at 14:47 +0100, Rainer Krienke wrote:
> Hello,
>
> a while ago I set up NFS4/Kerberos in our network. So all NFS mounts are
> done via NFS4. We are using MIT kerberos 5. In krb5.conf I configured
> the credential cache file as:
>
> default_ccache_name = /tmp/krb5cc_%{uid}
>
> Now basically this setup works. However I have one problem that is
> related to the cron-Principal and the default_ccache_name value.
>
> Each user in my setup has a principal username@KRBREALM, for nfs access
> there is an additional nfs/<fqdn>@KRBREALM principal. Users wanting to
> run cron jobs have a username/cron@KRBREALM principal and a local
> keytabfile on the cron host to which the cron principal was exported.
>
> Now when a user logs in on the cron host a /tmp/krb5cc_<%uid> file is
> created with a default principal of username@KRBREALM. It contains the
> krbtgt service principal as well as nfs/<fqdn> service principals.
>
> Next a cron job of this user starts. For this purpose the user prepends
> its real cron job with a call like
>
> kinit -k -t /etc/cronkeytabs/usercron.keytab username/cron@KRBREALM
>
> And since default_ccache_name is set to /tmp/krb5cc_%{uid} and the uid
> of this user is always the same the file /tmp/krb5cc_<%uid> is
> overwritten now containing the cron default principal. The user default
> principal that was in there before is deleted. And since we see NFS
> problems once a week on this host my guess is that this overwriting of
> credential cache files might be the origin.
>
> What I would like to have is either a way to *add* a cron service
> principal to a possibly existing /tmp/krb5cc_%{uid} file with the
> default user principal or to use a different default_ccache_name for
> cron with something like:
>
> default_ccache_name = /tmp/krb5cc_{%service}
>
> however there is no %service parameter expansion available.
>
> Any idea how to solve this name-conflict?
Start cron with a differnt krb5.conf file (using the KRB5_CONFIG
environment variable) and use a completely separate directory for the
ccache files used by cron jobs, so they won't interfere with NFS ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
