username/cron principals and cron

Frank Cusack frank at linetwo.net
Tue May 5 10:43:48 EDT 2015


I'm surprised you need a mapping at all.  The default mapping should simply
strip any instance component.  What happens if you kinit "manually" with
username/cron using a password?

On Tue, May 5, 2015 at 4:24 AM, Rainer Krienke <krienke at uni-koblenz.de>
wrote:

> Hello,
>
> I am setting up a kerberos/NFS4 environment. Basically everything seems
> to work. Every user has of course a princiapl username at MYREALM, where
> username is the unix user name. The users homes are on a kerberos/NFS4
> mounted directory.
>
> Now for running cron jobs I have to export a principal to a keytab and
> thus I do not want to use the user principal  username at MYREALM
> (exporting would also change its key) but a special
> username/cron at MYREALM principal .
> In order to run a cron job I would like to use kinit to get a ticket and
> then start the real work like this:
>
> kinit -k -t /etc/keytabs/cron/usernameCron.keytab username/cron at MYREALM;
> touch /home/username/xyz
>
> Because the users have their home on a NFS4 mounted directory I have to
> take care that the local user for the cron-principal
> username/cron at MYREAL is mapped to "username", the unix user for the
> principal.
>
> To achieve this I created a auth_to_local rule in /etc/krb5.conf on the
> NFS client and on the kerberos server as well:
>
>         auth_to_local = RULE:[2:$1;$2](^.*;cron$)s/;cron//
>
> This should remove the "cron" part for the local user from the
> principal. Actually I do not see any effect anywhere in the logs but
> perhaps this is normal, I don't know.
>
> After all this way things do not work and I do not know what's wrong.
> When running a cron-job that eg tries to create a file on the users NFS4
> home directory I simply get a "permission denied" error. When I use the
> original user principal for this purpose it works. So the mapping does
> not to seem to work as expected.
>
> Does anyone know what might be wrong?
>
> Thanks for any help
> Rainer Krienke
> --
> Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
> 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287
> 1312
> PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
> 1001312
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>


More information about the Kerberos mailing list