Problem with /tmp/krb5cc_%uid cache file name
Simo Sorce
simo at redhat.com
Thu Dec 17 12:18:56 EST 2015
On Thu, 2015-12-17 at 14:47 +0100, Rainer Krienke wrote:
> Hello,
>
> a while ago I set up NFS4/Kerberos in our network. So all NFS mounts are
> done via NFS4. We are using MIT kerberos 5. In krb5.conf I configured
> the credential cache file as:
>
> default_ccache_name = /tmp/krb5cc_%{uid}
>
> Now basically this setup works. However I have one problem that is
> related to the cron-Principal and the default_ccache_name value.
>
> Each user in my setup has a principal username at KRBREALM, for nfs access
> there is an additional nfs/<fqdn>@KRBREALM principal. Users wanting to
> run cron jobs have a username/cron at KRBREALM principal and a local
> keytabfile on the cron host to which the cron principal was exported.
>
> Now when a user logs in on the cron host a /tmp/krb5cc_<%uid> file is
> created with a default principal of username at KRBREALM. It contains the
> krbtgt service principal as well as nfs/<fqdn> service principals.
>
> Next a cron job of this user starts. For this purpose the user prepends
> its real cron job with a call like
>
> kinit -k -t /etc/cronkeytabs/usercron.keytab username/cron at KRBREALM
>
> And since default_ccache_name is set to /tmp/krb5cc_%{uid} and the uid
> of this user is always the same the file /tmp/krb5cc_<%uid> is
> overwritten now containing the cron default principal. The user default
> principal that was in there before is deleted. And since we see NFS
> problems once a week on this host my guess is that this overwriting of
> credential cache files might be the origin.
>
> What I would like to have is either a way to *add* a cron service
> principal to a possibly existing /tmp/krb5cc_%{uid} file with the
> default user principal or to use a different default_ccache_name for
> cron with something like:
>
> default_ccache_name = /tmp/krb5cc_{%service}
>
> however there is no %service parameter expansion available.
>
> Any idea how to solve this name-conflict?
Start cron with a differnt krb5.conf file (using the KRB5_CONFIG
environment variable) and use a completely separate directory for the
ccache files used by cron jobs, so they won't interfere with NFS ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list