November 2013
Abstract
When $HOME is on Kerberized NFS, a cron job cannot just do I/O to $HOME without preparations. This article shows the necessary preparations.
Create a keytab
To allow the cron job access to $HOME, you must create a keytab.
This keytab is worth a password in that whoever can read it can do anything you yourself could do to your homedir.
And you cannot put it in $HOME, as CRON cannot read it from there in the first place.
So put in in /tmp
, /var/tmp
, or the like...
apprentice@host:~$ ktutil --keytab=/tmp/
keytab.krb-username
add -p krb-username
--enctype=aes256-cts-hmac-sha1-96 --kvno=1
(You will be asked for a password twice. If you mistype, you will not receive a warning, but the keytab won't work.)
Test the keytab
Destroy any existing credentials, then try to use they keytab for Kerberos authentication:
apprentice@host:~$ kdestroy
apprentice@host:~$ kinit -t /tmp/keytab.krb-username
krb-username
ls $HOME
Use the keytab from cron
* * * * * kinit -t /tmp/keytab.krb-username krb-username myscript.sh
Warning | |
---|---|
You cannot do this: * * * * * kinit -t /tmp/keytab.krb-username krb-username myscript.sh < $HOME/myinput > $HOME/myoutput ... because if you did, cron would start a shell, arrange the redirection of stdin and stdout, and only then would it start kinit. Thus, the shell would wait for I/O forever, lacking permission, and never get to the kinit part. It doesn't matter that kinit would later proceed to get the very permission its parent is waiting for. It just never gets to that point. To make matters worse, cron would start many of these processes, and none would ever finish. Permission on $HOME is only available to kinit itself and its children. So you have to arrange the redirection inside myscript.sh itself. |