kerberos & cron - specifically nfsv4 w/sec=krb5p
Matt Garman
matthew.garman at gmail.com
Tue Sep 18 15:43:17 EDT 2012
On Tue, Sep 18, 2012 at 12:52 PM, Frank Cusack <frank at linetwo.net> wrote:
> At least it should tell you where to drop keytabs and how to name them so
> that the daemon can pick them up.
> [...]
> You're likely just not dropping the keytab into the right location and with
> the right naming convention.
Are you talking about the system keytab, which I understand is only
used to mount the share; or the individual user's keytab, to be used
for per-file permissions?
Take a look at http://linux.die.net/man/8/rpc.gssd, which is more or
less the same as "man rpc.gssd" on my system. The -k param tells the
daemon where to find "machine credentials"; the default is
/etc/krb5.keytab. I think I have this much right, or I wouldn't be
able to mount the share at all. The -d param tells the daemon where
to find Kerberos credential files, the default being /tmp, which I
were I see all my krb5cc_* files naturally going.
> If the server is also RH then the stuff about idmap is a red herring. Linux
> treats all instances (/foo) as equivalent to the main principal for NFS
> purposes. So as long as your principal names match your usernames, and the
> server can lookup username->uid, as would normally be the case, then you're
> good from that end.
If true (and I hope it is!), I can't seem to figure out how to make it a go.
Isn't the above path stuff kind of pointless anyway, since I can use
-k -t <file> with kinit at the user level? Which I have to do anyway,
from within cron?
Thanks again!
Matt
More information about the Kerberos
mailing list