On Fri, Apr 18, 2008 at 12:43 PM, Peter Koczan <pjkoczan@gmail.com> wrote:
> On Thu, Apr 17, 2008 at 11:40 AM, Peter Koczan <pjkoczan@gmail.com> wrote:
> > Hi all,
> >
> > I just upgraded one of my servers and I'm having a bit of trouble
> > getting some of the kerberos authentication bits working.
> > Specifically, any Kerberos instance run out of a v5srvtab doesn't work
> > so well. Using stashed tickets or normal principals worked fine.
> > Gritty details follow.
> >
> > Peter
> >
> > Here are details from the specific v5srvtab's...
> > [root@sensei postgres]# klist -k -t /etc/v5srvtab.wsbackup
> > Keytab name: FILE:/etc/v5srvtab.wsbackup
> > KVNO Timestamp Principal
> > ---- ----------------- --------------------------------------------------------
> > 13 12/20/07 15:56:11 wsbackup/sensei.cs.wisc.edu@CS.WISC.EDU
>
> Here's what happens when I do this (it's on a different machine but
> it's the same mechanism).
>
> [root@ator] ~ $ su - wsbackup
> ator(1)% kinit -f -k -t /etc/v5srvtab.wsbackup -l 1d
> wsbackup/ator.cs.wisc.edu@CS.WISC.EDU
> ator(2)% klist
> Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_28528
> Default principal: wsbackup/ator.cs.wisc.edu@CS.WISC.EDU
>
> Valid starting Expires Service principal
> 04/18/08 12:25:00 04/19/08 12:25:00 krbtgt/CS.WISC.EDU@CS.WISC.EDU
>
>
> Kerberos 4 ticket cache: /tmp/tkt28528
> klist: You have no tickets cached
One more thing to note, I said before that stashed tickets and login
principals "just work." Here might be something...
[koczan@ator] koczan $ klist
Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_3258_ZtKJNK
Default principal: koczan@CS.WISC.EDU
...
[root@mitchell ~]# export KRB5CCNAME=/var/adm/krb5/tmp/stash/krb5cc_25555.stash
[root@mitchell ~]# klist
Ticket cache: FILE:/var/adm/krb5/tmp/stash/krb5cc_25555.stash
Default principal: strivia@CS.WISC.EDU
...
They don't contain hostname data in the default principal like the
keytab principal does, and yet they both connect fine. There could be
something to this, but I don't know what, or how to take advantage of
it.
Peter