kinit under launchd on Mac OS X 10.5
Alexandra Ellwood
lxs at MIT.EDU
Tue Jan 15 12:05:57 EST 2008
The Mac OS X kinit uses the in memory CCAPI ccache server to
temporarily store tickets before placing them in the destination
ccache (in this case a file-based ccache). As a result kinit is
attempting to launch a launchd service (the CCacheServer) from inside
your launchd script. The CCacheServer is failing to launch, resulting
in the "Internal credentials cache error". The fact that the
CCacheServer is launched in this case is an artifact of the Kerberos
v4 support in previous versions of Mac OS X. (Future versions of
Kerberos for Mac OS X will no longer use the CCacheServer in this
case, but that's not much help to you now.)
As to why the CCacheServer isn't launching, there are a couple of
things which could be going wrong here. Launchd could be launching
kinit in the wrong session (such as the root bootstrap) which would
prevent the CCacheServer from launching entirely. Alternatively there
could be some problem with launching a launchd service from inside a
launchd script (although I'm sure it's more complicated than that or
lots of things wouldn't work). Regardless this is an Apple bug and
you should file it with Apple at <http://bugreport.apple.com/>.
As far as actually solving your problem goes, you can obtain a keytab
for the machine and have it authenticate to the service using tickets
obtained from the keytab (kinit -k). Using a keytab would be the most
stable mechanism since you wouldn't have to handle the case where the
renewal lifetime expires. If you end up using a keytab you might want
to look at Russ Allbery's kstart program <http://www.eyrie.org/~eagle/software/kstart/
> which does a lot of the work of managing the keytab for you.
If getting a keytab isn't possible, you can build a stock kinit from
the krb5 sources (krb5/src/clients/kinit) which will get tickets and
store them in the file-based ccache without launching the CCacheServer.
On Jan 8, 2008, at 11:28 AM, Christopher Owens wrote:
> kinit seems to behave differently when it is invoked under the launchd
> mechanism, than when it is invoked from a command line. I believe all
> the relevant environment variables are set identically, but the
> outcome
> is different.
>
> *Background:*
>
> I have a Mac OS 10.5 ("Leopard") client machine. It is in contact
> with
> a linux Kerberos server. I have a ticket that I want to keep alive, so
> that an application can use it to authenticate to another server. The
> normal Unix way to do this would be to set up a cron job to renew the
> ticket every couple of hours. I am trying to do it the Leopard way, by
> adding an xml plist file to /Library/LaunchDaemons that invokes kinit
>
> *Problem:*
>
> When I run the kinit command from the command line, it works fine
> (in my
> example below I've changed the name to host.domain.com
>
> /sudo -u openldap env
> KRB5CCNAME="FILE:/var/db/openldap/syncrepl.tkt" kinit -k -t
> /var/db/openldap/syncrepl.keytab syncrepl/host.domain.com/
>
>
> On the other hand, when I use the launchd mechanism to run it, I get
> an
> error in the log:
>
> /Jan 8 01:29:38 <hostname> syncrepl-kinit13049
> <http://discussions.apple.com/>: kinit: Error getting initial
> tickets: Internal credentials cache error/
>
> Normally that error message refers to an inability to read or write
> the
> key cache, I believe
>
> If you're still reading, here's the plist file (again, I've changed
> the
> names)
> **
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
> "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
> <plist version="1.0">
> <dict>
> <key>Label</key>
> <string>syncrepl-kinit</string>
> <key>Disabled</key>
> <true/>
> <key>Program</key>
> <string>/usr/bin/kinit</string>
> <key>ProgramArguments</key>
> <array>
> <string>/usr/bin/kinit</string>
> <string>-k</string>
> <string>-t</string>
> <string>/var/db/openldap/syncrepl.keytab</string>
> <string>syncrepl/host.domain.com</string>
> </array>
> <key>EnvironmentVariables</key>
> <dict>
> <key>KRB5CCNAME</key>
> <string>FILE:/var/db/openldap/syncrepl.tkt</string>
> </dict>
> <key>UserName</key>
> <string>openldap</string>
> <key>RunAtLoad</key>
> <true/>
> <key>StartCalendarInterval</key>
> <integer>21600</integer>
> <key>LowPriorityIO</key>
> <true/>
> </dict>
> </plist>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--lxs
Alexandra Ellwood <lxs at mit.edu>
MIT Kerberos Development Team
<http://mit.edu/lxs/www>
More information about the Kerberos
mailing list