create root cache on boot

steve steve at steve-ss.com
Thu May 2 04:23:59 EDT 2013 

On 02/05/13 06:45, Benjamin Kaduk wrote:
> On Wed, 1 May 2013, steve wrote:
>
>> openSUSE 12.3 with Samba 4.0 KDC
>>
>> Hi
>> Our Linux clients need a root cache available for cifs mounts. I have a
>> machine key available on all clients. I've put:
>> kinit -k -t /etc/krb5.keytab MACHINE$
>> in /etc/init.d/boot.local
>> Other commands in boot.local run just fine except for the kinit. I know
>> that the network is up and that the KDC is available because sssd uses
>> the same machine key to create it's own cache.
>
> Are you sure that the network is up? (What have you done to test?)  Do 
> you have a dependency chart or ordering of your system's init 
> scripts?  I would expect that sssd is starting from something in 
> /etc/init.d/ but your boot.local is running before that.
>
> Probably you should move that kinit invocation into a dedicated init 
> script that orders itelf with respect to $network (and also whatever 
> needs cifs).
>
>
>> Any ideas as to why the kinit fails in the boot script when other
>> commands are OK?
>
> I suspect that the network is not actually up. (N.b. sometimes 
> $network hvaing completed does not actually mean the network is up.)  
> You could test by using ping or route or something to test for 
> connectivity in the same place where your kinit is failing.
>
> -Ben Kaduk

Hi

I run sssd by just calling the binary. I know the network must be up and 
the KDC available because sssd fires up and gets a ticket just fine. DNS 
must be OK otherwise sssd wouldn't be able to authenticate. It's using 
the same key as the kinit command but I've tried other keys too. I 
tested the network just before the kinit by adding
systemctl status network > /tmp/net.txt
network.service - LSB: Configure network interfaces and set up routing
           Loaded: loaded (/etc/init.d/network)
           Active: active (running) since Thu, 2013-05-02 10:21:25 CEST; 
1s ago
          Process: 512 ExecStart=/etc/init.d/network start (code=exited, 
status=0/SUCCESS)

Here's the content of /etc/init.d/boot.local
sssd
kinit -k -t /etc/krb5.keytab CATRAL$

Here is the content of the service file
[Unit]
Description=/etc/init.d/boot.local Compatibility
After=network.target
[Service]
Type=oneshot
ExecStart=/etc/init.d/boot.local
TimeoutSec=0
RemainAfterExit=yes
SysVStartPriority=99

This is krb5.conf
[libdefaults]
         default_realm = HH3.SITE
         dns_lookup_realm = false
         dns_lookup_kdc = true

More information about the Kerberos mailing list