Kerberos Problem with ‘cron’ or ‘at’

[gw1500se]

After many days of hair pulling I have run into a problem running a perl script that uses Kerberos for authentication. This started out as what I thought was a problem with the perl module Authen::Krb5. I had a script that worked fine from the command line but when run from ‘cron’ or ‘at’ (i.e. no attached console) it would fail with the error:
[quote]Credentials cache I/O operation failed XXX[/quote]
It turns out, according to the perl module author, that is error is coming from the Kerberos library not his module. He then suggested that I check the environment variable, KRB5CCNAME. Under normal implementations this is supposed to be the path for the credentials cache file. Under OS X this variable does not exist. If I set this variable, it apparently is not used.

So I have 2 basic questions. Where does OS X put the credentials cache file? Where ever that place is, why can it not be written when a script runs without a console? TIA.

[gw1500se]

It doesn’t matter as it fails with any user including root. Yes. Remember this is a working script when launched from the command line. In background it fails initializing the credentials cache. If I knew where it writes the cache file I might be able to figure out why it fails. The puzzle is that I thought Apple used the standard Kerberos libraries. That being the case why is KRB5CCNAME seemingly not used?

[gw1500se]

Thanks for the reply. I figured that is where this was heading. The standard Unix location for the credentials cache file is /tmp (I guess you are implying OS X is non-standard) not /home. The standard environment variable, KRB5CCNAME, is used to change the location of the cache file and that seems to be ignored by OS X. Since OS X does not seem to use Kerberos standards, how do I fix it?

[gw1500se]

Thanks. Perhaps it is because I’m running a perl script, but fs_usage does not generate anything (at least the silly way I tried it). This is also the first time I tried to use it so I’m sure I didn’t do it right. It seems like the script must already be running for fs_usage to work but it does not seem to have a way to launch the script. It is not clear from the man page how I get fs_usage to launch the command its supposed to monitor.

[gw1500se]

[QUOTE][u]Quote by: MacTroll[/u][p]The user the script is running as not have a real home?

No home = no cache.[/p][/QUOTE]
I missed the ‘?’ on this. Why wouldn’t the user have a home just because its running as cron? That certainly doesn’t happen with other Unix flavors. I don’t think that can be the problem after all.

[gw1500se]

Just to close this out, it turns out that by default, the Kerberos library use some virtual location that is not available when run in background. Using KRB5CCNAME is the solution but it requires more then just a path. It also requires the type of node specifically it needs to be told to use a file. My solution was KRB5CCNAME=’FILE:/somefilepath”.

[Author]

Posts