username/cron principals and cron

Rainer Krienke krienke at
Tue May 5 07:24:49 EDT 2015


I am setting up a kerberos/NFS4 environment. Basically everything seems
to work. Every user has of course a princiapl username at MYREALM, where
username is the unix user name. The users homes are on a kerberos/NFS4
mounted directory.

Now for running cron jobs I have to export a principal to a keytab and
thus I do not want to use the user principal  username at MYREALM
(exporting would also change its key) but a special
username/cron at MYREALM principal .
In order to run a cron job I would like to use kinit to get a ticket and
then start the real work like this:

kinit -k -t /etc/keytabs/cron/usernameCron.keytab username/cron at MYREALM;
touch /home/username/xyz

Because the users have their home on a NFS4 mounted directory I have to
take care that the local user for the cron-principal
username/cron at MYREAL is mapped to "username", the unix user for the

To achieve this I created a auth_to_local rule in /etc/krb5.conf on the
NFS client and on the kerberos server as well:

	auth_to_local = RULE:[2:$1;$2](^.*;cron$)s/;cron//

This should remove the "cron" part for the local user from the
principal. Actually I do not see any effect anywhere in the logs but
perhaps this is normal, I don't know.

After all this way things do not work and I do not know what's wrong.
When running a cron-job that eg tries to create a file on the users NFS4
home directory I simply get a "permission denied" error. When I use the
original user principal for this purpose it works. So the mapping does
not to seem to work as expected.

Does anyone know what might be wrong?

Thanks for any help
Rainer Krienke
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
56070 Koblenz,, Tel: +49261287 1312
PGP:,Fax: +49261287

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5065 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the Kerberos mailing list