kinit under launchd on Mac OS X 10.5

Alexandra Ellwood lxs at MIT.EDU
Tue Jan 15 12:05:57 EST 2008


The Mac OS X kinit uses the in memory CCAPI ccache server to  
temporarily store tickets before placing them in the destination  
ccache (in this case a file-based ccache).  As a result kinit is  
attempting to launch a launchd service (the CCacheServer) from inside  
your launchd script.  The CCacheServer is failing to launch, resulting  
in the "Internal credentials cache error".  The fact that the  
CCacheServer is launched in this case is an artifact of the Kerberos  
v4 support in previous versions of Mac OS X.  (Future versions of  
Kerberos for Mac OS X will no longer use the CCacheServer in this  
case, but that's not much help to you now.)


As to why the CCacheServer isn't launching, there are a couple of  
things which could be going wrong here.  Launchd could be launching  
kinit in the wrong session (such as the root bootstrap) which would  
prevent the CCacheServer from launching entirely.  Alternatively there  
could be some problem with launching a launchd service from inside a  
launchd script (although I'm sure it's more complicated than that or  
lots of things wouldn't work).  Regardless this is an Apple bug and  
you should file it with Apple at <http://bugreport.apple.com/>.


As far as actually solving your problem goes, you can obtain a keytab  
for the machine and have it authenticate to the service using tickets  
obtained from the keytab (kinit -k).  Using a keytab would be the most  
stable mechanism since you wouldn't have to handle the case where the  
renewal lifetime expires.  If you end up using a keytab you might want  
to look at Russ Allbery's kstart program <http://www.eyrie.org/~eagle/software/kstart/ 
 > which does a lot of the work of managing the keytab for you.

If getting a keytab isn't possible, you can build a stock kinit from  
the krb5 sources (krb5/src/clients/kinit) which will get tickets and  
store them in the file-based ccache without launching the CCacheServer.



On Jan 8, 2008, at 11:28 AM, Christopher Owens wrote:

> kinit seems to behave differently when it is invoked under the launchd
> mechanism, than when it is invoked from a command line.  I believe all
> the relevant environment variables are set identically, but the  
> outcome
> is different.
>
> *Background:*
>
> I have a Mac OS 10.5 ("Leopard") client machine.  It is in contact  
> with
> a linux Kerberos server. I have a ticket that I want to keep alive, so
> that an application can use it to authenticate to another server. The
> normal Unix way to do this would be to set up a cron job to renew the
> ticket every couple of hours. I am trying to do it the Leopard way, by
> adding an xml plist file to /Library/LaunchDaemons that invokes kinit
>
> *Problem:*
>
> When I run the kinit command from the command line, it works fine  
> (in my
> example below I've changed the name to host.domain.com
>
>    /sudo -u openldap env
>    KRB5CCNAME="FILE:/var/db/openldap/syncrepl.tkt" kinit -k -t
>    /var/db/openldap/syncrepl.keytab syncrepl/host.domain.com/
>
>
> On the other hand, when I use the launchd mechanism to run it, I get  
> an
> error in the log:
>
>    /Jan 8 01:29:38 <hostname> syncrepl-kinit13049
>    <http://discussions.apple.com/>: kinit: Error getting initial
>    tickets: Internal credentials cache error/
>
> Normally that error message refers to an inability to read or write  
> the
> key cache, I believe
>
> If you're still reading, here's the plist file (again, I've changed  
> the
> names)
> **
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
> "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
> <plist version="1.0">
> <dict>
>        <key>Label</key>
>        <string>syncrepl-kinit</string>
>        <key>Disabled</key>
>        <true/>
>        <key>Program</key>
>        <string>/usr/bin/kinit</string>
>        <key>ProgramArguments</key>
>        <array>
>          <string>/usr/bin/kinit</string>
>          <string>-k</string>
>          <string>-t</string>
>          <string>/var/db/openldap/syncrepl.keytab</string>
>          <string>syncrepl/host.domain.com</string>
>        </array>
>        <key>EnvironmentVariables</key>
>        <dict>
>          <key>KRB5CCNAME</key>
>          <string>FILE:/var/db/openldap/syncrepl.tkt</string>
>        </dict>
>        <key>UserName</key>
>        <string>openldap</string>
>        <key>RunAtLoad</key>
>        <true/>
>        <key>StartCalendarInterval</key>
>        <integer>21600</integer>
>        <key>LowPriorityIO</key>
>        <true/>
> </dict>
> </plist>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

--lxs

Alexandra Ellwood <lxs at mit.edu>
MIT Kerberos Development Team
<http://mit.edu/lxs/www>





More information about the Kerberos mailing list