[30013] in Kerberos
strange problem with kinit
daemon@ATHENA.MIT.EDU (Rohit Kumar Mehta)
Tue Jun 24 16:18:44 2008
Message-ID: <4861566D.7040409@engr.uconn.edu>
Date: Tue, 24 Jun 2008 16:17:49 -0400
From: Rohit Kumar Mehta <rohitm@engr.uconn.edu>
MIME-Version: 1.0
To: kerberos@mit.edu, nfsv4@linux-nfs.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi guys, is there any reason running kinit from a cronjob would have
different
results from running from the shell?
Here is my problem in a nutshell: We are trying to setup a webserver to
serve
NFS-mounted public_html directories with sec=krb5. The apache process
(running as nobody) needs some kerberos credentials to access these NFS
exported files (perms 755). To solve this I create a crontab for nobody
which
issues a command like the following:
echo myPassword | kinit nobody@AD.ENGR.UCONN.EDU
Before my cronjob runs, I su to nobody and run klist:
nobody@sumo2:/root$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_65534)
Kerberos 4 ticket cache: /tmp/tkt65534
klist: You have no tickets cached
If I do an "ls /home/rohitm/public_html", I get a "Permission denied"
error, and see
the following in my logs:
Jun 24 15:44:43 sumo2 rpc.gssd[3968]: ERROR: GSS-API: error in
gss_acquire_cred(): Unspecified GSS failure. Minor code may provide
more information - No credentials cache found
Jun 24 15:44:43 sumo2 rpc.gssd[3968]: WARNING: Failed to create krb5
context for user with uid 65534 for server filesm.ad.engr.uconn.edu
Now when the cronjob fires, I su to nobody and issue a klist:
nobody@sumo2:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_65534
Default principal: nobody@AD.ENGR.UCONN.EDU
Valid starting Expires Service principal
06/24/08 15:30:02 06/25/08 01:30:02
krbtgt/AD.ENGR.UCONN.EDU@AD.ENGR.UCONN.EDU
renew until 06/25/08 15:30:02, Flags: FRIA
06/24/08 15:30:32 06/25/08 01:30:02
nfs/filesm.ad.engr.uconn.edu@AD.ENGR.UCONN.EDU
renew until 06/25/08 15:30:02, Flags: FRA
06/24/08 15:30:32 06/25/08 01:30:02 FILESM$@AD.ENGR.UCONN.EDU
renew until 06/25/08 15:30:02, Flags: FRA
Kerberos 4 ticket cache: /tmp/tkt65534
klist: You have no tickets cached
Now comes the confusing part. At this point issuing a command like "ls
-al /home/rohitm" *sometimes*
succeeds, and other times it will continue to fail until the next time
the cronjob trips or I
run the kinit manually. I am really not sure what is going on, but I
did find this thread:
http://linux-nfs.org/pipermail/nfsv4/2007-October/006915.html
and am trying out kkeepd. In the meantime, does anyone know why my
"echo password | kinit" seems
to fail intermittently?
--
Rohit Mehta
Computer Engineer
University of Connecticut
Engineering Computing Services
371 Fairfield Road Unit 2031
Storrs, CT 06269-2031
Office: (860) 486 - 2331
Fax: (860) 486 - 1273
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
