Problem with /tmp/krb5cc_%uid cache file name

Rainer Krienke krienke at uni-koblenz.de
Thu Dec 17 08:47:43 EST 2015 

Hello,

a while ago I set up NFS4/Kerberos in our network. So all NFS mounts are
done via NFS4. We are using MIT kerberos 5. In krb5.conf I configured
the credential cache file as:

default_ccache_name = /tmp/krb5cc_%{uid}

Now basically this setup works. However I have one problem that is
related to the cron-Principal and the default_ccache_name value.

Each user in my setup has a principal username at KRBREALM, for nfs access
there is an additional nfs/<fqdn>@KRBREALM principal. Users wanting to
run cron jobs have a username/cron at KRBREALM principal and a local
keytabfile on the cron host to which the cron principal was exported.

Now when a user logs in on the cron host a /tmp/krb5cc_<%uid> file is
created with a default principal of username at KRBREALM. It contains the
krbtgt service principal  as well as nfs/<fqdn> service principals.

Next a cron job of this user starts. For this purpose the user prepends
its real cron job with a call like

kinit -k -t /etc/cronkeytabs/usercron.keytab username/cron at KRBREALM

And since default_ccache_name is set to /tmp/krb5cc_%{uid} and the uid
of this user is always the same the file /tmp/krb5cc_<%uid> is
overwritten now containing the cron default principal. The user default
principal that was in there before is deleted. And since we see NFS
problems once a week on this host my guess is that this overwriting of
credential cache files might be the origin.

What I would like to have is either a way to *add* a cron service
principal to a possibly existing /tmp/krb5cc_%{uid} file with the
default user principal or to use a different default_ccache_name for
cron with something  like:
	
	default_ccache_name = /tmp/krb5cc_{%service}

however there is no %service parameter expansion available.

Any idea how to solve this name-conflict?

Thanks for your help
Rainer
-- 
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
56070 Koblenz, Tel: +49261287 1312 Fax +49261287 100 1312
Web: http://userpages.uni-koblenz.de/~krienke
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5085 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20151217/71816d82/attachment.bin

More information about the Kerberos mailing list