kinit under launchd on Mac OS X 10.5
Christopher Owens
chris at interisle.net
Tue Jan 8 11:28:24 EST 2008
kinit seems to behave differently when it is invoked under the launchd
mechanism, than when it is invoked from a command line. I believe all
the relevant environment variables are set identically, but the outcome
is different.
*Background:*
I have a Mac OS 10.5 ("Leopard") client machine. It is in contact with
a linux Kerberos server. I have a ticket that I want to keep alive, so
that an application can use it to authenticate to another server. The
normal Unix way to do this would be to set up a cron job to renew the
ticket every couple of hours. I am trying to do it the Leopard way, by
adding an xml plist file to /Library/LaunchDaemons that invokes kinit
*Problem:*
When I run the kinit command from the command line, it works fine (in my
example below I've changed the name to host.domain.com
/sudo -u openldap env
KRB5CCNAME="FILE:/var/db/openldap/syncrepl.tkt" kinit -k -t
/var/db/openldap/syncrepl.keytab syncrepl/host.domain.com/
On the other hand, when I use the launchd mechanism to run it, I get an
error in the log:
/Jan 8 01:29:38 <hostname> syncrepl-kinit13049
<http://discussions.apple.com/>: kinit: Error getting initial
tickets: Internal credentials cache error/
Normally that error message refers to an inability to read or write the
key cache, I believe
If you're still reading, here's the plist file (again, I've changed the
names)
**
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>syncrepl-kinit</string>
<key>Disabled</key>
<true/>
<key>Program</key>
<string>/usr/bin/kinit</string>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/kinit</string>
<string>-k</string>
<string>-t</string>
<string>/var/db/openldap/syncrepl.keytab</string>
<string>syncrepl/host.domain.com</string>
</array>
<key>EnvironmentVariables</key>
<dict>
<key>KRB5CCNAME</key>
<string>FILE:/var/db/openldap/syncrepl.tkt</string>
</dict>
<key>UserName</key>
<string>openldap</string>
<key>RunAtLoad</key>
<true/>
<key>StartCalendarInterval</key>
<integer>21600</integer>
<key>LowPriorityIO</key>
<true/>
</dict>
</plist>
More information about the Kerberos
mailing list