The Mac OS X kinit uses the in memory CCAPI ccache server to temporarily store tickets before placing them in the destination ccache (in this case a file-based ccache). As a result kinit is attempting to launch a launchd service (the CCacheServer) from inside your launchd script. The CCacheServer is failing to launch, resulting in the "Internal credentials cache error". The fact that the CCacheServer is launched in this case is an artifact of the Kerberos v4 support in previous versions of Mac OS X. (Future versions of Kerberos for Mac OS X will no longer use the CCacheServer in this case, but that's not much help to you now.)
As to why the CCacheServer isn't launching, there are a couple of things which could be going wrong here. Launchd could be launching kinit in the wrong session (such as the root bootstrap) which would prevent the CCacheServer from launching entirely. Alternatively there could be some problem with launching a launchd service from inside a launchd script (although I'm sure it's more complicated than that or lots of things wouldn't work). Regardless this is an Apple bug and you should file it with Apple at <http://bugreport.apple.com/>. As far as actually solving your problem goes, you can obtain a keytab for the machine and have it authenticate to the service using tickets obtained from the keytab (kinit -k). Using a keytab would be the most stable mechanism since you wouldn't have to handle the case where the renewal lifetime expires. If you end up using a keytab you might want to look at Russ Allbery's kstart program <http://www.eyrie.org/~eagle/software/kstart/ > which does a lot of the work of managing the keytab for you. If getting a keytab isn't possible, you can build a stock kinit from the krb5 sources (krb5/src/clients/kinit) which will get tickets and store them in the file-based ccache without launching the CCacheServer. On Jan 8, 2008, at 11:28 AM, Christopher Owens wrote: > kinit seems to behave differently when it is invoked under the launchd > mechanism, than when it is invoked from a command line. I believe all > the relevant environment variables are set identically, but the > outcome > is different. > > *Background:* > > I have a Mac OS 10.5 ("Leopard") client machine. It is in contact > with > a linux Kerberos server. I have a ticket that I want to keep alive, so > that an application can use it to authenticate to another server. The > normal Unix way to do this would be to set up a cron job to renew the > ticket every couple of hours. I am trying to do it the Leopard way, by > adding an xml plist file to /Library/LaunchDaemons that invokes kinit > > *Problem:* > > When I run the kinit command from the command line, it works fine > (in my > example below I've changed the name to host.domain.com > > /sudo -u openldap env > KRB5CCNAME="FILE:/var/db/openldap/syncrepl.tkt" kinit -k -t > /var/db/openldap/syncrepl.keytab syncrepl/host.domain.com/ > > > On the other hand, when I use the launchd mechanism to run it, I get > an > error in the log: > > /Jan 8 01:29:38 <hostname> syncrepl-kinit13049 > <http://discussions.apple.com/>: kinit: Error getting initial > tickets: Internal credentials cache error/ > > Normally that error message refers to an inability to read or write > the > key cache, I believe > > If you're still reading, here's the plist file (again, I've changed > the > names) > ** > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" > "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> > <plist version="1.0"> > <dict> > <key>Label</key> > <string>syncrepl-kinit</string> > <key>Disabled</key> > <true/> > <key>Program</key> > <string>/usr/bin/kinit</string> > <key>ProgramArguments</key> > <array> > <string>/usr/bin/kinit</string> > <string>-k</string> > <string>-t</string> > <string>/var/db/openldap/syncrepl.keytab</string> > <string>syncrepl/host.domain.com</string> > </array> > <key>EnvironmentVariables</key> > <dict> > <key>KRB5CCNAME</key> > <string>FILE:/var/db/openldap/syncrepl.tkt</string> > </dict> > <key>UserName</key> > <string>openldap</string> > <key>RunAtLoad</key> > <true/> > <key>StartCalendarInterval</key> > <integer>21600</integer> > <key>LowPriorityIO</key> > <true/> > </dict> > </plist> > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos --lxs Alexandra Ellwood <[EMAIL PROTECTED]> MIT Kerberos Development Team <http://mit.edu/lxs/www> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos