kinit under launchd on Mac OS X 10.5

Christopher Owens chris at interisle.net
Tue Jan 8 11:28:24 EST 2008


kinit seems to behave differently when it is invoked under the launchd 
mechanism, than when it is invoked from a command line.  I believe all 
the relevant environment variables are set identically, but the outcome 
is different.

*Background:*

I have a Mac OS 10.5 ("Leopard") client machine.  It is in contact with 
a linux Kerberos server. I have a ticket that I want to keep alive, so 
that an application can use it to authenticate to another server. The 
normal Unix way to do this would be to set up a cron job to renew the 
ticket every couple of hours. I am trying to do it the Leopard way, by 
adding an xml plist file to /Library/LaunchDaemons that invokes kinit

*Problem:*

When I run the kinit command from the command line, it works fine (in my 
example below I've changed the name to host.domain.com

    /sudo -u openldap env
    KRB5CCNAME="FILE:/var/db/openldap/syncrepl.tkt" kinit -k -t
    /var/db/openldap/syncrepl.keytab syncrepl/host.domain.com/


On the other hand, when I use the launchd mechanism to run it, I get an 
error in the log:

    /Jan 8 01:29:38 <hostname> syncrepl-kinit13049
    <http://discussions.apple.com/>: kinit: Error getting initial
    tickets: Internal credentials cache error/

Normally that error message refers to an inability to read or write the 
key cache, I believe

If you're still reading, here's the plist file (again, I've changed the 
names)
**
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Label</key>
        <string>syncrepl-kinit</string>
        <key>Disabled</key>
        <true/>
        <key>Program</key>
        <string>/usr/bin/kinit</string>
        <key>ProgramArguments</key>
        <array>
          <string>/usr/bin/kinit</string>
          <string>-k</string>
          <string>-t</string>
          <string>/var/db/openldap/syncrepl.keytab</string>
          <string>syncrepl/host.domain.com</string>
        </array>
        <key>EnvironmentVariables</key>
        <dict>
          <key>KRB5CCNAME</key>
          <string>FILE:/var/db/openldap/syncrepl.tkt</string>
        </dict>
        <key>UserName</key>
        <string>openldap</string>
        <key>RunAtLoad</key>
        <true/>
        <key>StartCalendarInterval</key>
        <integer>21600</integer>
        <key>LowPriorityIO</key>
        <true/>
</dict>
</plist>





More information about the Kerberos mailing list