Hello, I am setting up a kerberos/NFS4 environment. Basically everything seems to work. Every user has of course a princiapl username@MYREALM, where username is the unix user name. The users homes are on a kerberos/NFS4 mounted directory.
Now for running cron jobs I have to export a principal to a keytab and
thus I do not want to use the user principal username@MYREALM
(exporting would also change its key) but a special
username/cron@MYREALM principal .
In order to run a cron job I would like to use kinit to get a ticket and
then start the real work like this:
kinit -k -t /etc/keytabs/cron/usernameCron.keytab username/cron@MYREALM;
touch /home/username/xyz
Because the users have their home on a NFS4 mounted directory I have to
take care that the local user for the cron-principal
username/cron@MYREAL is mapped to "username", the unix user for the
principal.
To achieve this I created a auth_to_local rule in /etc/krb5.conf on the
NFS client and on the kerberos server as well:
auth_to_local = RULE:[2:$1;$2](^.*;cron$)s/;cron//
This should remove the "cron" part for the local user from the
principal. Actually I do not see any effect anywhere in the logs but
perhaps this is normal, I don't know.
After all this way things do not work and I do not know what's wrong.
When running a cron-job that eg tries to create a file on the users NFS4
home directory I simply get a "permission denied" error. When I use the
original user principal for this purpose it works. So the mapping does
not to seem to work as expected.
Does anyone know what might be wrong?
Thanks for any help
Rainer Krienke
--
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
1001312
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
