[OpenAFS] Re: Cron Jobs for "Regular" Users

Andrew Deason adeason@sinenomine.net
Wed, 27 Jan 2010 10:03:26 -0600

On Wed, 27 Jan 2010 16:27:59 +0100
Holger Rauch <holger.rauch@empic.de> wrote:

> Hi Andrew (and all the other list members),
> ok, first I like to admit that this is actually rather Kerberos- than
> OpenAFS-related.

We pretty much all have to deal with kerberos anyway, so it's not the
worst place to ask.

> - Could it be that the kvno doesn't match?
> - What's the default kvno for princs that are created interactively
> from within kadmin using the "addprinc" command?

Something around 0 or 1 probably, if you've never changed the password.

> - In case I want to reuse a regular user princ from within a keytab in
>   order to be able to do "kinit -kt <keytab_file> <princ>" from within
>   a crontab entry, do I have to pass the same kvno as an argument to
>   the "-k" switch of ktutil's "addent" command?

Probably. The 'kvno' tool can tell you what it is.

$ kvno -c /tmp/krb5cc_1000 adeason
adeason@LOCALCELL: kvno = 1

(I realize 'LOCALCELL' is a silly name for a realm)

Also, 'klist' can tell you the enctype you want to use after you 'kinit'

$ klist -e
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: adeason@LOCALCELL

Valid starting     Expires            Service principal
01/27/10 09:52:33  01/28/10 09:52:33  krbtgt/LOCALCELL@LOCALCELL
	Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1

This just gives you the human-readable enctypes, though. I'm not really
sure of a good place to get the names you pass to -e, though they make
at least some sense. I happen to know that that that one is

$ ktutil
ktutil:  addent -password -p adeason@LOCALCELL -k 1 -e des3-cbc-sha1
Password for adeason@LOCALCELL:
ktutil:  wkt foo.keytab
$ kinit -k -t foo.keytab adeason
$ echo $?

Andrew Deason