[OpenAFS] Re: Cron Jobs for "Regular" Users

Holger Rauch holger.rauch@empic.de
Fri, 29 Jan 2010 16:05:55 +0100

Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Andrew,

partly good news: I have it working now using the ktutil method, at
least for one example user. However, in order to be useful for cron
jobs acessing OpenAFS file systems, I guess that the keytab file must
reside on either a non-AFS file system (e.g. native ext3, xfs, etc.)
in a directory readable by the user only (Unix permissions: 700) or
on an AFS file system readable by system:anyuser
(AFS ACL permissions: rl) because I'm now facing a
"chicken-and-egg-problem", i.e. I'm getting this error when the keytab
file resides in the user's home directory, which is actually on an
OpenAFS volume:

kinit(v5): Permission denied while getting initial credentials

(This is sort of logical since aklog hasn't been executed yet; on the
other hand, aklog requires the credentials I've just tried to get via
kinit. kinit, however, can't access the keytab file due to a not yet
obtained AFS token...)

(I'm well aware that my suggestion above is actually a security
concern, but what are the ways around it? Is there any good
alternative to placing keytab files on a native file system, each in a
directory readable by the corresponding user only?)

Thanks & kind regards,


On Wed, 27 Jan 2010, Andrew Deason wrote:

> On Wed, 27 Jan 2010 16:27:59 +0100
> Holger Rauch <holger.rauch@empic.de> wrote:
> > - Could it be that the kvno doesn't match?
> >=20
> > - What's the default kvno for princs that are created interactively
> > from within kadmin using the "addprinc" command?
> >=20
> > - In case I want to reuse a regular user princ from within a keytab in
> >   order to be able to do "kinit -kt <keytab_file> <princ>" from within
> >   a crontab entry, do I have to pass the same kvno as an argument to
> >   the "-k" switch of ktutil's "addent" command?
> >  =20
> > Any clarification is greatly appreciated. Thanks in advance.
> I thought I sent a response to this, but I'm not seeing it. I don't know
> if I feel like retyping the whole thing, but the gist of it was the
> example:
> (summary: 'kvno' can tell you the kvno, and 'klist -e' can tell you the
> enctype)
> $ kinit adeason
> Password for adeason@LOCALCELL:
> $ klist -e
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: adeason@LOCALCELL
>  =20
>   Valid starting     Expires            Service principal
>   01/27/10 10:28:36  01/28/10 10:28:36  krbtgt/LOCALCELL@LOCALCELL
>           Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple D=
ES cbc mode with HMAC/sha1
> $ kvno -c /tmp/krb5cc_1000 adeason
> adeason@LOCALCELL: kvno =3D 1
> $ kdestroy
> $ ktutil
> ktutil:  addent -password -p adeason -k 1 -e des3-cbc-sha1
> Password for adeason@LOCALCELL:
> ktutil:  wkt foo.keytab
> ktutil:
> $ kinit -k -t foo.keytab adeason
> $ echo $?
> 0
> --=20
> Andrew Deason
> adeason@sinenomine.net
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
Holger Rauch
Entwicklung Anwendungs-Software
Systemadministration UNIX

Tel.: +49 / 9131 / 877 - 141
Fax: +49 / 9131 / 877 - 266
Email: Holger.Rauch@empic.de

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

Version: GnuPG v1.4.9 (GNU/Linux)