kerberos & cron - specifically nfsv4 w/sec=krb5p
Matt Garman
matthew.garman at gmail.com
Tue Sep 11 15:24:29 EDT 2012
Hi,
I have a server farm where all servers mount an NFSv4 share using the
"sec=krb5p" option. What I'd like is for users to be able to access
this share in automated jobs that are run via cron.
I saw that there is a FAQ on this:
http://www.faqs.org/faqs/kerberos-faq/general/section-61.html#b
But either I'm doing something wrong or missing some subtlety, as any
automated job is still getting "permission denied" for the nfsv4
share.
First question: say I have a user named "matt" on my systems. Login
authentication is controlled via Kerberos as well, so I have a
principal "matt at MYDOMAIN.COM", secured with a password. It seems that
if I export the key to a file (in kadmin: "ktadd -k matt.keytab
matt"), then the password no longer works. Is this correct, that a
password and keytab file are mutually exclusive? That appears to be
the case...
Based on my assumption that I can't have both a password and valid key
file, I tried to create a special principal, per the FAQ:
kadmin: addprinc -randkey matt/cron
kadmin: ktadd -k matt_cron.keytab matt/cron
So now, in the crontab for user "matt", I prefix all commands with
"kinit -k -t matt_cron.keytab matt/cron". But jobs still fail with
"permission denied" for the nfsv4 share. After invoking the kinit
command, I do have a valid TGT, verified with klist.
So... what am I missing?
Thanks,
Matt
More information about the Kerberos
mailing list