[OpenAFS] Re: Cron Jobs for "Regular" Users

Holger Rauch holger.rauch@empic.de
Wed, 27 Jan 2010 16:27:59 +0100 

--qMm9M+Fa2AknHoGS
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Andrew (and all the other list members),

ok, first I like to admit that this is actually rather Kerberos- than
OpenAFS-related. Sorry for that, but I want to be able to issue cron
jobs as an OpenAFS user without having to create both new, dedicated
"<user_name>/cron" princs and the associated new PTS entries and
would rather like to "reuse" the "regular" user princs already
created for interactive logins. (I'm aware that dedicated cron job
princs would offer additional security).

On Wed, 30 Dec 2009, Andrew Deason wrote:

> [...]=20
> I believe at least MIT's ktutil allows you to create a keytab from a
> known password (and kvno and enctype). See the add_entry -password
> command in ktutil. That doesn't seem like much less work than creating
> new princs, though...

I tried to follow your suggestion. I had come accross this mail:

http://www.mail-archive.com/kerberos@mit.edu/msg03229.html

However, when following the steps described in there, I get the
following error message after having invoked kinit:

kinit(v5): Key table entry not found while getting initial credentials

Interestingly enough, when I do

klist -ek <keytab_file>

the entry appears. So, I'm quite puzzled by the error message.=20

- Could it be that the kvno doesn't match?

- What's the default kvno for princs that are created interactively from wi=
thin
  kadmin using the "addprinc" command?

- In case I want to reuse a regular user princ from within a keytab in
  order to be able to do "kinit -kt <keytab_file> <princ>" from within
  a crontab entry, do I have to pass the same kvno as an argument to
  the "-k" switch of ktutil's "addent" command?
 =20
Any clarification is greatly appreciated. Thanks in advance.

Kind regards,

     Holger

--qMm9M+Fa2AknHoGS
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAktgW34ACgkQbiVtWpZdKQK6jgCcC/Fp3XJ3X9p0VlKZd0ZaFzoS
4JQAn0Q5Rs+Ikhi/AjvEhkXq5ESjnehR
=8cZe
-----END PGP SIGNATURE-----

--qMm9M+Fa2AknHoGS--