I'm surprised you need a mapping at all. The default mapping should simply strip any instance component. What happens if you kinit "manually" with username/cron using a password?
On Tue, May 5, 2015 at 4:24 AM, Rainer Krienke <krie...@uni-koblenz.de> wrote: > Hello, > > I am setting up a kerberos/NFS4 environment. Basically everything seems > to work. Every user has of course a princiapl username@MYREALM, where > username is the unix user name. The users homes are on a kerberos/NFS4 > mounted directory. > > Now for running cron jobs I have to export a principal to a keytab and > thus I do not want to use the user principal username@MYREALM > (exporting would also change its key) but a special > username/cron@MYREALM principal . > In order to run a cron job I would like to use kinit to get a ticket and > then start the real work like this: > > kinit -k -t /etc/keytabs/cron/usernameCron.keytab username/cron@MYREALM; > touch /home/username/xyz > > Because the users have their home on a NFS4 mounted directory I have to > take care that the local user for the cron-principal > username/cron@MYREAL is mapped to "username", the unix user for the > principal. > > To achieve this I created a auth_to_local rule in /etc/krb5.conf on the > NFS client and on the kerberos server as well: > > auth_to_local = RULE:[2:$1;$2](^.*;cron$)s/;cron// > > This should remove the "cron" part for the local user from the > principal. Actually I do not see any effect anywhere in the logs but > perhaps this is normal, I don't know. > > After all this way things do not work and I do not know what's wrong. > When running a cron-job that eg tries to create a file on the users NFS4 > home directory I simply get a "permission denied" error. When I use the > original user principal for this purpose it works. So the mapping does > not to seem to work as expected. > > Does anyone know what might be wrong? > > Thanks for any help > Rainer Krienke > -- > Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 > 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 > 1312 > PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 > 1001312 > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
