[36532] in Kerberos
Re: documentation on how to set $KRB5CCNAME for kerberized/gssapi
daemon@ATHENA.MIT.EDU (Tom Yu)
Thu Oct 9 18:36:07 2014
From: Tom Yu <tlyu@mit.edu>
To: Natxo Asenjo <natxo.asenjo@gmail.com>
Date: Thu, 09 Oct 2014 18:28:08 -0400
In-Reply-To: <CAHBEJzXEU4qkMdEaaKaeL=-CuG+vJVz7qvmcTAYc=ZmNd+h3cg@mail.gmail.com>
(Natxo Asenjo's message of "Thu, 9 Oct 2014 23:10:17 +0200")
Message-ID: <ldvr3ygdgjr.fsf@sarnath.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Natxo Asenjo <natxo.asenjo@gmail.com> writes:
> When implementing rsyslog with gssapi
> (http://www.rsyslog.com/doc/gssapi.html) I came accross the issue
> that the rsyslog software expects the credentials cache of the host
> principal in /tmp/krb5cc_0; the centos 6.5 hosts joined to a freeipa
> kerberos domain save that to /var/tmp/host_0 .
/var/tmp/host_0 looks more like a replay cache (rcache) filename to me.
Are you seeing this on the rsyslog server or the rsyslog client?
> I tried setting this:
>
> KRB5CCNAME='/var/tmp/host_0'
>
> or variations on that (double inverted comma's, no comma's) in
> /etc/sysconfig/rsyslog which is the place where one expect to declare
> such a variable in redhat/centos systems because that file is sourced
> by the init scrip of rsyslog. But unfortunately rsyslog kept
> requesting the /tmp/krb5cc_0 file.
What error messages did you see? Is this on the client or the server?
> Copying /var/tmp/host_0 over
> /tmp/krb5cc_0 solves this problem and then one can relay syslog
> messages using kerberos authentication, but it is not really elegant.
I would not expect that to work if /var/tmp/host_0 were a replay cache,
so maybe it is a ccache after all.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
