Inittab launching K5start too soon

Russ Allbery rra at stanford.edu
Wed May 11 20:37:07 EDT 2011


Jaap Winius <jwinius at umrk.nl> writes:

> Hi folks,

> The Debian squeeze workstations at my site rely on a combination of
> Kerberos, OpenLDAP and OpenAFS client software to connect to the
> network. It works well enough for me, but the more workstations that are
> added the more often there are complaints of login problems immediately
> after bootup.

> This is caused by k5start being launched from /etc/inittab, so it begins
> its attempts to obtain a TGT before the network is available and does
> not initially succeed. This leads to problems for many other processes
> that are started after the network interface, resulting in a temporary
> slew of libnss-ldap related GSSAPI errors (Credentials cache file
> '/tmp/krb5cc_0' not found).

Are you only using k5start to support libnss-ldap?  If so, one option
would be to switch to libnss-ldapd (which I think is a superior model
anyway) and then modify its init script to run the daemon under k5start.
Then you wouldn't need the inittab entry.

If you also are using those credentials for other things, such as NFS,
then it's not so simple.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list