kerberos & cron - specifically nfsv4 w/sec=krb5p

Russ Allbery rra at stanford.edu
Tue Sep 11 15:32:03 EDT 2012


Matt Garman <matthew.garman at gmail.com> writes:

> First question: say I have a user named "matt" on my systems.  Login
> authentication is controlled via Kerberos as well, so I have a principal
> "matt at MYDOMAIN.COM", secured with a password.  It seems that if I export
> the key to a file (in kadmin: "ktadd -k matt.keytab matt"), then the
> password no longer works.  Is this correct, that a password and keytab
> file are mutually exclusive?  That appears to be the case...

Normally when you create a keytab for a user, that process randomizes the
key, so it invalidates any old keys.  From the syntax you're using, you're
apparently using MIT Kerberos; with MIT Kerberos, you can run kadmin.local
on the KDC directly and then use ktadd with the -norandkey flag to extract
keys without changing them for a user.  However, using a separate
principal is generally better.

> Based on my assumption that I can't have both a password and valid key
> file, I tried to create a special principal, per the FAQ:

> kadmin: addprinc -randkey matt/cron
> kadmin: ktadd -k matt_cron.keytab matt/cron

> So now, in the crontab for user "matt", I prefix all commands with
> "kinit -k -t matt_cron.keytab matt/cron".  But jobs still fail with
> "permission denied" for the nfsv4 share.  After invoking the kinit
> command, I do have a valid TGT, verified with klist.

> So... what am I missing?

Either NFS doesn't understand matt/cron as a user, or the local daemon
that handles user credentials can't find the tickets.  I believe you do
have to be careful about how you name the ticket cache for NFS to pick it
up.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list