documentation on how to set $KRB5CCNAME for kerberized/gssapi applications
Tom Yu
tlyu at mit.edu
Thu Oct 9 18:28:08 EDT 2014
Natxo Asenjo <natxo.asenjo at gmail.com> writes:
> When implementing rsyslog with gssapi
> (http://www.rsyslog.com/doc/gssapi.html) I came accross the issue
> that the rsyslog software expects the credentials cache of the host
> principal in /tmp/krb5cc_0; the centos 6.5 hosts joined to a freeipa
> kerberos domain save that to /var/tmp/host_0 .
/var/tmp/host_0 looks more like a replay cache (rcache) filename to me.
Are you seeing this on the rsyslog server or the rsyslog client?
> I tried setting this:
>
> KRB5CCNAME='/var/tmp/host_0'
>
> or variations on that (double inverted comma's, no comma's) in
> /etc/sysconfig/rsyslog which is the place where one expect to declare
> such a variable in redhat/centos systems because that file is sourced
> by the init scrip of rsyslog. But unfortunately rsyslog kept
> requesting the /tmp/krb5cc_0 file.
What error messages did you see? Is this on the client or the server?
> Copying /var/tmp/host_0 over
> /tmp/krb5cc_0 solves this problem and then one can relay syslog
> messages using kerberos authentication, but it is not really elegant.
I would not expect that to work if /var/tmp/host_0 were a replay cache,
so maybe it is a ccache after all.
More information about the Kerberos
mailing list