Problem with /tmp/krb5cc_%uid cache file name

Ben Gooley bgooley at cloudera.com
Thu Dec 17 11:07:29 EST 2015 

oops... that sent prematurely.  I was going to add that for the cron
scripts, you would want to make the cache file unique (perhaps with a
timestamp appended).

Ben

On Thu, Dec 17, 2015 at 8:05 AM, Ben Gooley <bgooley at cloudera.com> wrote:

> Rainer,
>
> We have a KB article that will likely help:
>
> Scripting Against a Kerberos Enabled Cluster
> <https://na29.salesforce.com/articles/KB_Article/Scripting-Against-a-Kerberos-Enabled-Cluster?popup=true&id=kA080000000PLhN>
>
> On Thu, Dec 17, 2015 at 5:47 AM, Rainer Krienke <krienke at uni-koblenz.de>
> wrote:
>
>> Hello,
>>
>> a while ago I set up NFS4/Kerberos in our network. So all NFS mounts are
>> done via NFS4. We are using MIT kerberos 5. In krb5.conf I configured
>> the credential cache file as:
>>
>> default_ccache_name = /tmp/krb5cc_%{uid}
>>
>> Now basically this setup works. However I have one problem that is
>> related to the cron-Principal and the default_ccache_name value.
>>
>> Each user in my setup has a principal username at KRBREALM, for nfs access
>> there is an additional nfs/<fqdn>@KRBREALM principal. Users wanting to
>> run cron jobs have a username/cron at KRBREALM principal and a local
>> keytabfile on the cron host to which the cron principal was exported.
>>
>> Now when a user logs in on the cron host a /tmp/krb5cc_<%uid> file is
>> created with a default principal of username at KRBREALM. It contains the
>> krbtgt service principal  as well as nfs/<fqdn> service principals.
>>
>> Next a cron job of this user starts. For this purpose the user prepends
>> its real cron job with a call like
>>
>> kinit -k -t /etc/cronkeytabs/usercron.keytab username/cron at KRBREALM
>>
>> And since default_ccache_name is set to /tmp/krb5cc_%{uid} and the uid
>> of this user is always the same the file /tmp/krb5cc_<%uid> is
>> overwritten now containing the cron default principal. The user default
>> principal that was in there before is deleted. And since we see NFS
>> problems once a week on this host my guess is that this overwriting of
>> credential cache files might be the origin.
>>
>> What I would like to have is either a way to *add* a cron service
>> principal to a possibly existing /tmp/krb5cc_%{uid} file with the
>> default user principal or to use a different default_ccache_name for
>> cron with something  like:
>>
>>         default_ccache_name = /tmp/krb5cc_{%service}
>>
>> however there is no %service parameter expansion available.
>>
>> Any idea how to solve this name-conflict?
>>
>> Thanks for your help
>> Rainer
>> --
>> Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
>> 56070 Koblenz, Tel: +49261287 1312 Fax +49261287 100 1312
>> Web: http://userpages.uni-koblenz.de/~krienke
>> PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
>
> --
> Ben Gooley
> *Customer Operations Engineer*
>
>
> * <http://www.cloudera.com>*
>



-- 
Ben Gooley
*Customer Operations Engineer*


* <http://www.cloudera.com>*

More information about the Kerberos mailing list