Hello, a while ago I set up NFS4/Kerberos in our network. So all NFS mounts are done via NFS4. We are using MIT kerberos 5. In krb5.conf I configured the credential cache file as:
default_ccache_name = /tmp/krb5cc_%{uid}
Now basically this setup works. However I have one problem that is
related to the cron-Principal and the default_ccache_name value.
Each user in my setup has a principal username@KRBREALM, for nfs access
there is an additional nfs/<fqdn>@KRBREALM principal. Users wanting to
run cron jobs have a username/cron@KRBREALM principal and a local
keytabfile on the cron host to which the cron principal was exported.
Now when a user logs in on the cron host a /tmp/krb5cc_<%uid> file is
created with a default principal of username@KRBREALM. It contains the
krbtgt service principal as well as nfs/<fqdn> service principals.
Next a cron job of this user starts. For this purpose the user prepends
its real cron job with a call like
kinit -k -t /etc/cronkeytabs/usercron.keytab username/cron@KRBREALM
And since default_ccache_name is set to /tmp/krb5cc_%{uid} and the uid
of this user is always the same the file /tmp/krb5cc_<%uid> is
overwritten now containing the cron default principal. The user default
principal that was in there before is deleted. And since we see NFS
problems once a week on this host my guess is that this overwriting of
credential cache files might be the origin.
What I would like to have is either a way to *add* a cron service
principal to a possibly existing /tmp/krb5cc_%{uid} file with the
default user principal or to use a different default_ccache_name for
cron with something like:
default_ccache_name = /tmp/krb5cc_{%service}
however there is no %service parameter expansion available.
Any idea how to solve this name-conflict?
Thanks for your help
Rainer
--
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
56070 Koblenz, Tel: +49261287 1312 Fax +49261287 100 1312
Web: http://userpages.uni-koblenz.de/~krienke
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
