[OpenAFS] Re: Cron Jobs for "Regular" Users
Wed, 27 Jan 2010 16:27:59 +0100
Content-Type: text/plain; charset=utf-8
Hi Andrew (and all the other list members),
ok, first I like to admit that this is actually rather Kerberos- than
OpenAFS-related. Sorry for that, but I want to be able to issue cron
jobs as an OpenAFS user without having to create both new, dedicated
"<user_name>/cron" princs and the associated new PTS entries and
would rather like to "reuse" the "regular" user princs already
created for interactive logins. (I'm aware that dedicated cron job
princs would offer additional security).
On Wed, 30 Dec 2009, Andrew Deason wrote:
> I believe at least MIT's ktutil allows you to create a keytab from a
> known password (and kvno and enctype). See the add_entry -password
> command in ktutil. That doesn't seem like much less work than creating
> new princs, though...
I tried to follow your suggestion. I had come accross this mail:
However, when following the steps described in there, I get the
following error message after having invoked kinit:
kinit(v5): Key table entry not found while getting initial credentials
Interestingly enough, when I do
klist -ek <keytab_file>
the entry appears. So, I'm quite puzzled by the error message.=20
- Could it be that the kvno doesn't match?
- What's the default kvno for princs that are created interactively from wi=
kadmin using the "addprinc" command?
- In case I want to reuse a regular user princ from within a keytab in
order to be able to do "kinit -kt <keytab_file> <princ>" from within
a crontab entry, do I have to pass the same kvno as an argument to
the "-k" switch of ktutil's "addent" command?
Any clarification is greatly appreciated. Thanks in advance.
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----