Sporadic kinit failures

hectorl hectorlas at yahoo.com
Fri Dec 27 13:57:03 EST 2013


I've set up my Active Directory server, Linux client, and /etc/krb5.conf file
successfully to the point that I can run

    kinit ad_user

and klist shows the ticket I received.  I can kdestroy / kinit ad_user
repeatedly and see my ticket with the new expiration date.

My problem happens during scripting.  I'm setting up a remote machine over
ssh with a python script, and among other things, it's executing running
"kinit ad_user".  I've noticed that when running it this way, I would see
occasional see:

    - Password for ad_user at TESTDOMAIN.COM

or

    - kinit: Preauthentication failed while getting initial credentials

I updated my script to retry based on seeing these messages returned.  If
I'm on the same subnet as my remote machine, it works within 3 retries every
time so far.  If I'm on a different subnet, 3 has never worked, it's more
like 8-10 plus successively longer delays in between to get it to work
successfully (retry * 3 seconds, a constant 5 second delay between still
fails)... and once it does work successfully, my script immediately does a
"kinit -l 30 ad_user", which has worked every time.

I've verified that my command sequence is correct by manually ssh'ing in and
running the commands in the history buffer and seeing them work as expected
(local or remote subnet).  

Does anyone understand why automating the commands would have different
results from running them by hand?  Are there some conditions I need to meet
before I can run kinit the way I'm trying to?

Thanks for reading.
Hector



--
View this message in context: http://kerberos.996246.n3.nabble.com/Sporadic-kinit-failures-tp39200.html
Sent from the Kerberos - General mailing list archive at Nabble.com.


More information about the Kerberos mailing list