kinit error with systemd

[steve]

When trying to get Kerberos tickets, we get an error that the directory
does not exist e.g.
as root:
kinit Administrator
kinit: Credential cache directory /run/user/0/krb5cc does not exist
while getting default ccache

If I now create the directory:
/run/user/0
it works fine.

I'm not sure whether this is a kinit problem or a systemd problem as
the /run/usr/$UID directory is only produced when $UID logs in.

Previously, the cache was produced in /tmp which is _always_ available.

What are we supposed to do to automount a kerberised cifs share where
root will never be logged in?

Thanks,
Steve

[steve]

On Sat, 2013-10-05 at 13:10 -0400, Daniel Kahn Gillmor wrote:

> On 10/05/2013 12:59 PM, steve wrote:
> > When trying to get Kerberos tickets, we get an error that the directory
> > does not exist e.g.
> > as root:
> > kinit Administrator
> > kinit: Credential cache directory /run/user/0/krb5cc does not exist
> > while getting default ccache
> >
> > If I now create the directory:
> > /run/user/0
> > it works fine.
> >
> > I'm not sure whether this is a kinit problem or a systemd problem as
> > the /run/usr/$UID directory is only produced when $UID logs in.
>

> maybe you need to use systemd's tmpfiles mechanism to pre-create
> /run/user/0 before the kinit service gets run?
>
> http://www.freedesktop.org/software/systemd/man/systemd-tmpfiles.html

Hi
Thanks. It works fine. Just a pity that something like this had to
change. It worked fine when the cache was create in /tmp.

Our main problem is that the root cache cannot be created for
automounted cifs. For the same reason; the root cache directory will not
be present on a domain client.

We're testing openSUSE 13.1 beta. It seems that systemd has forced the
change, although the openSUSE guys blame kinit.

Steve

[Greg Hudson]

On 10/06/2013 06:18 AM, steve wrote:
> Thanks. It works fine. Just a pity that something like this had to
> change. It worked fine when the cache was create in /tmp.

The upstream default is still /tmp/krb5cc_%{uid}. In 1.11 we added the
ability to change the default ccache name, either at build time or in
/etc/krb5.conf. I wasn't aware that OpenSUSE had started doing this in
their build, but it's not entirely surprising given that they use
systemd. You should be able to change it back in krb5.conf if you prefer:

[libdefaults]
default_ccache_name = /tmp/krb5cc_%{uid}

We're aware of the unfortunate corner cases which result from using a
systemd per-user temporary directory as the default. For 1.12, Simo
Sorce and I have done some work on the KEYRING ccache type which, in
combination with some new kernel features, should make it a reasonable
choice for a per-user default. Obviously, that only helps on Linux, so
we don't consider it a complete solution. In the longer term, we hope
to introduce a daemon-backed ccache type (like Kerberos for Window's
CCAPI or Heimdal's KCM) which can work on all Unix-like platforms.

[steve]

Hi
Thanks for the info. I don't know whether openSUSE have this in mind but
your solution does indeed solve the problem.

I wonder if systemd has an official way of doing this? To try and get an
official openSUSE slant on this, we've opened a bugzilla:
https://bugzilla.novell.com/show_bug.cgi?id=844198

[Simo Sorce]

systemd developers made quite clear that the XDGRUNTINE directory is
created after some of the pam modules are run and not created at all in
some case (sudo su without -i/-l at least), which is why we are working
on a Keyring based solution for now.

Simo.

> To try and get an
> official openSUSE slant on this, we've opened a bugzilla:
> https://bugzilla.novell.com/show_bug.cgi?id=844198
>
>

> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


--
Simo Sorce * Red Hat, Inc * New York