[OpenAFS] Re: Cron Jobs for "Regular" Users

Thomas Kula kula@tproa.net
Wed, 27 Jan 2010 11:04:50 -0500


On Wed, Jan 27, 2010 at 04:27:59PM +0100, Holger Rauch wrote:
> I tried to follow your suggestion. I had come accross this mail:
> 
> http://www.mail-archive.com/kerberos@mit.edu/msg03229.html
> 
> However, when following the steps described in there, I get the
> following error message after having invoked kinit:
> 
> kinit(v5): Key table entry not found while getting initial credentials
> 
> Interestingly enough, when I do
> 
> klist -ek <keytab_file>
> 
> the entry appears. So, I'm quite puzzled by the error message. 
> 
> - Could it be that the kvno doesn't match?

It very well could be. If the kvno (which is listed in the klist
output) doesn't match kvno in the database (what is displayed with
getprinc in kadmin) then you won't be able to authenticate with
that keytab. 

> 
> - What's the default kvno for princs that are created interactively from within
>   kadmin using the "addprinc" command?

When I just created one, I got a kvno of 1.

> 
> - In case I want to reuse a regular user princ from within a keytab in
>   order to be able to do "kinit -kt <keytab_file> <princ>" from within
>   a crontab entry, do I have to pass the same kvno as an argument to
>   the "-k" switch of ktutil's "addent" command?

Yes. The kvno must match what's in the kerberos database. Note: this will
increment by one every time the user changes the password, invalidating
the keytab you had previously generated.


- 
Thomas L. Kula | kula@tproa.net | http://kula.tproa.net/