Problem with /tmp/krb5cc_%uid cache file name

Simo Sorce simo at redhat.com
Thu Dec 17 12:18:56 EST 2015 

On Thu, 2015-12-17 at 14:47 +0100, Rainer Krienke wrote:
> Hello,
> 
> a while ago I set up NFS4/Kerberos in our network. So all NFS mounts are
> done via NFS4. We are using MIT kerberos 5. In krb5.conf I configured
> the credential cache file as:
> 
> default_ccache_name = /tmp/krb5cc_%{uid}
> 
> Now basically this setup works. However I have one problem that is
> related to the cron-Principal and the default_ccache_name value.
> 
> Each user in my setup has a principal username at KRBREALM, for nfs access
> there is an additional nfs/<fqdn>@KRBREALM principal. Users wanting to
> run cron jobs have a username/cron at KRBREALM principal and a local
> keytabfile on the cron host to which the cron principal was exported.
> 
> Now when a user logs in on the cron host a /tmp/krb5cc_<%uid> file is
> created with a default principal of username at KRBREALM. It contains the
> krbtgt service principal  as well as nfs/<fqdn> service principals.
> 
> Next a cron job of this user starts. For this purpose the user prepends
> its real cron job with a call like
> 
> kinit -k -t /etc/cronkeytabs/usercron.keytab username/cron at KRBREALM
> 
> And since default_ccache_name is set to /tmp/krb5cc_%{uid} and the uid
> of this user is always the same the file /tmp/krb5cc_<%uid> is
> overwritten now containing the cron default principal. The user default
> principal that was in there before is deleted. And since we see NFS
> problems once a week on this host my guess is that this overwriting of
> credential cache files might be the origin.
> 
> What I would like to have is either a way to *add* a cron service
> principal to a possibly existing /tmp/krb5cc_%{uid} file with the
> default user principal or to use a different default_ccache_name for
> cron with something  like:
> 	
> 	default_ccache_name = /tmp/krb5cc_{%service}
> 
> however there is no %service parameter expansion available.
> 
> Any idea how to solve this name-conflict?

Start cron with a differnt krb5.conf file (using the KRB5_CONFIG
environment variable) and use a completely separate directory for the
ccache files used by cron jobs, so they won't interfere with NFS ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Kerberos mailing list