[OpenAFS] Re: Cron Jobs for "Regular" Users

Andrew Deason adeason@sinenomine.net
Fri, 29 Jan 2010 09:50:34 -0600

On Fri, 29 Jan 2010 09:05:55 -0600
Holger Rauch <holger.rauch@empic.de> wrote:

> partly good news: I have it working now using the ktutil method, at
> least for one example user. However, in order to be useful for cron
> jobs acessing OpenAFS file systems, I guess that the keytab file must
> reside on either a non-AFS file system (e.g. native ext3, xfs, etc.)
> in a directory readable by the user only (Unix permissions: 700) or
> on an AFS file system readable by system:anyuser

Yes, because only the user has access to their home directory
(presumably), and you don't want to make a keytab like that readable to
system:anyuser. A normal cron job cannot access it, because from AFS'
perspective, it is not the user even if it has setuid()'d to them. You
need to prove to AFS who you are, which requires a token in this

> I'm getting this error when the keytab file resides in the user's home
> directory, which is actually on an OpenAFS volume:
> kinit(v5): Permission denied while getting initial credentials
> (This is sort of logical since aklog hasn't been executed yet; on the
> other hand, aklog requires the credentials I've just tried to get via
> kinit. kinit, however, can't access the keytab file due to a not yet
> obtained AFS token...)
> (I'm well aware that my suggestion above is actually a security
> concern, but what are the ways around it? Is there any good
> alternative to placing keytab files on a native file system, each in a
> directory readable by the corresponding user only?)

Well, who do you want to be able to grab the keytab and authenticate as
the user? If you have a dedicated machine running the cron jobs, you
could protect the directory where the keytabs are under an IP ACL, but
IP ACLs don't always work so well, and you'd open up access to anyone
accessing from the same machine.

Or you could make the cron daemon run with certain tokens, and protect
the keytabs under that identity. However, then anyone's cron job can
access anyone's keytab, unless you modify the cron daemon to acquire
tokens specifically for the user it's running as after
fork()/setuid()ing, or something like that.

Note that wherever you're putting these, you really need to make that
place not accessible to many things, for security. For that reason
keeping it on a local machine outside of AFS would make sense, I think.
But if you really want to keep it in AFS, I suppose it's possible.

I'm not quite sure what the setup is you're aiming for, though. It
sounds like you want users to be able to run cron jobs out of AFS on any
arbitrary AFS client in your cell? Doing something like that will
require some extra work.

Andrew Deason