create root cache on boot

steve steve at
Thu May 2 04:23:59 EDT 2013

On 02/05/13 06:45, Benjamin Kaduk wrote:
> On Wed, 1 May 2013, steve wrote:
>> openSUSE 12.3 with Samba 4.0 KDC
>> Hi
>> Our Linux clients need a root cache available for cifs mounts. I have a
>> machine key available on all clients. I've put:
>> kinit -k -t /etc/krb5.keytab MACHINE$
>> in /etc/init.d/boot.local
>> Other commands in boot.local run just fine except for the kinit. I know
>> that the network is up and that the KDC is available because sssd uses
>> the same machine key to create it's own cache.
> Are you sure that the network is up? (What have you done to test?)  Do 
> you have a dependency chart or ordering of your system's init 
> scripts?  I would expect that sssd is starting from something in 
> /etc/init.d/ but your boot.local is running before that.
> Probably you should move that kinit invocation into a dedicated init 
> script that orders itelf with respect to $network (and also whatever 
> needs cifs).
>> Any ideas as to why the kinit fails in the boot script when other
>> commands are OK?
> I suspect that the network is not actually up. (N.b. sometimes 
> $network hvaing completed does not actually mean the network is up.)  
> You could test by using ping or route or something to test for 
> connectivity in the same place where your kinit is failing.
> -Ben Kaduk


I run sssd by just calling the binary. I know the network must be up and 
the KDC available because sssd fires up and gets a ticket just fine. DNS 
must be OK otherwise sssd wouldn't be able to authenticate. It's using 
the same key as the kinit command but I've tried other keys too. I 
tested the network just before the kinit by adding
systemctl status network > /tmp/net.txt
network.service - LSB: Configure network interfaces and set up routing
           Loaded: loaded (/etc/init.d/network)
           Active: active (running) since Thu, 2013-05-02 10:21:25 CEST; 
1s ago
          Process: 512 ExecStart=/etc/init.d/network start (code=exited, 

Here's the content of /etc/init.d/boot.local
kinit -k -t /etc/krb5.keytab CATRAL$

Here is the content of the service file
Description=/etc/init.d/boot.local Compatibility

This is krb5.conf
         default_realm = HH3.SITE
         dns_lookup_realm = false
         dns_lookup_kdc = true

More information about the Kerberos mailing list