strange problem with kinit

Kevin Coffman kwc at umich.edu
Tue Jun 24 17:45:42 EDT 2008 

I don't have an answer to why the cron thing fails.  However, running
gssd with -vvv will give a clue toward what credentials caches are
being considered.

I would suggest using a keytab rather than keeping a password around
in a script, file, or wherever you are keeping it now.

You might also want to look at kstart and krenew:

http://www.eyrie.org/~eagle/software/kstart/
http://www.eyrie.org/~eagle/software/kstart/krenew.html


On Tue, Jun 24, 2008 at 4:17 PM, Rohit Kumar Mehta
<rohitm at engr.uconn.edu> wrote:
>
> Hi guys, is there any reason running kinit from a cronjob would have
> different
> results from running from the shell?
>
> Here is my problem in a nutshell:  We are trying to setup a webserver to
> serve
> NFS-mounted public_html directories with sec=krb5.   The apache process
> (running as nobody) needs some kerberos credentials to access these NFS
> exported files (perms 755). To solve this I create a crontab for nobody
> which
> issues a command like the following:
>
>    echo myPassword | kinit nobody at AD.ENGR.UCONN.EDU
>
> Before my cronjob runs, I su to nobody and run klist:
>
>    nobody at sumo2:/root$ klist
>    klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_65534)
>
>
>    Kerberos 4 ticket cache: /tmp/tkt65534
>    klist: You have no tickets cached
>
> If I do an "ls /home/rohitm/public_html", I get a "Permission denied"
> error, and see
> the following in my logs:
>
> Jun 24 15:44:43 sumo2 rpc.gssd[3968]: ERROR: GSS-API: error in
> gss_acquire_cred(): Unspecified GSS failure.  Minor code may provide
> more information - No credentials cache found
> Jun 24 15:44:43 sumo2 rpc.gssd[3968]: WARNING: Failed to create krb5
> context for user with uid 65534 for server filesm.ad.engr.uconn.edu
>
> Now when the cronjob fires, I su to nobody and issue a klist:
>
>    nobody at sumo2:~$ klist -f
>    Ticket cache: FILE:/tmp/krb5cc_65534
>    Default principal: nobody at AD.ENGR.UCONN.EDU
>
>    Valid starting     Expires            Service principal
>    06/24/08 15:30:02  06/25/08 01:30:02
> krbtgt/AD.ENGR.UCONN.EDU at AD.ENGR.UCONN.EDU
>            renew until 06/25/08 15:30:02, Flags: FRIA
>    06/24/08 15:30:32  06/25/08 01:30:02
> nfs/filesm.ad.engr.uconn.edu at AD.ENGR.UCONN.EDU
>            renew until 06/25/08 15:30:02, Flags: FRA
>    06/24/08 15:30:32  06/25/08 01:30:02  FILESM$@AD.ENGR.UCONN.EDU
>            renew until 06/25/08 15:30:02, Flags: FRA
>
>
>    Kerberos 4 ticket cache: /tmp/tkt65534
>    klist: You have no tickets cached
>
> Now comes the confusing part.  At this point issuing a command like "ls
> -al /home/rohitm" *sometimes*
> succeeds, and other times it will continue to fail until the next time
> the cronjob trips or I
> run the kinit manually.  I am really not sure what is going on, but I
> did find this thread:
>
>    http://linux-nfs.org/pipermail/nfsv4/2007-October/006915.html
>
> and am trying out kkeepd.  In the meantime, does anyone know why my
> "echo password | kinit" seems
> to fail intermittently?
>
> --
> Rohit Mehta
> Computer Engineer
> University of Connecticut
> Engineering Computing Services
> 371 Fairfield Road Unit 2031
> Storrs, CT 06269-2031
>
> Office: (860) 486 - 2331
> Fax: (860) 486 - 1273
>
>
> _______________________________________________
> NFSv4 mailing list
> NFSv4 at linux-nfs.org
> http://linux-nfs.org/cgi-bin/mailman/listinfo/nfsv4
>
>

More information about the Kerberos mailing list