documentation on how to set $KRB5CCNAME for kerberized/gssapi applications
Natxo Asenjo
natxo.asenjo at gmail.com
Mon Oct 13 07:55:26 EDT 2014
On Fri, Oct 10, 2014 at 12:28 AM, Tom Yu <tlyu at mit.edu> wrote:
> Natxo Asenjo <natxo.asenjo at gmail.com> writes:
>
>> When implementing rsyslog with gssapi
>> (http://www.rsyslog.com/doc/gssapi.html) I came accross the issue
>> that the rsyslog software expects the credentials cache of the host
>> principal in /tmp/krb5cc_0; the centos 6.5 hosts joined to a freeipa
>> kerberos domain save that to /var/tmp/host_0 .
>
> /var/tmp/host_0 looks more like a replay cache (rcache) filename to me.
> Are you seeing this on the rsyslog server or the rsyslog client?
I think you are correct. When looking at that file I see my kerberos
principal named a few times with this type of strings: HASH:lotsofhex,
so this looks like one of those files.
>> I tried setting this:
>>
>> KRB5CCNAME='/var/tmp/host_0'
>>
>> or variations on that (double inverted comma's, no comma's) in
>> /etc/sysconfig/rsyslog which is the place where one expect to declare
>> such a variable in redhat/centos systems because that file is sourced
>> by the init scrip of rsyslog. But unfortunately rsyslog kept
>> requesting the /tmp/krb5cc_0 file.
>
> What error messages did you see? Is this on the client or the server?
This is on the client. The messages I get on the client:
Oct 13 13:47:19 host rsyslogd-2024: GSS-API Context initialization failed
[try http://www.rsyslog.com/e/2024 ]
Oct 13 13:47:19 host rsyslogd: GSS-API error initializing context:
Unspecified GSS failure. Minor code may provide more information
Oct 13 13:47:19 host rsyslogd: GSS-API error initializing context:
Credentials cache file '/tmp/krb5cc_0' not found
Thanks,
--
Groeten,
natxo
More information about the Kerberos
mailing list