Cron jobs on Kerberized NFS

Jurjen Bokma

November 2013

Abstract

When $HOME is on Kerberized NFS, a cron job cannot just do I/O to $HOME without preparations. This article shows the necessary preparations.


  1. To allow the cron job access to $HOME, you must create a keytab. This keytab is worth a password in that whoever can read it can do anything you yourself could do to your homedir. And you cannot put it in $HOME, as CRON cannot read it from there in the first place. So put in in /tmp, /var/tmp, or the like...

    apprentice@host:~$ ktutil --keytab=/tmp/keytab.krb-username add -p krb-username --enctype=aes256-cts-hmac-sha1-96 --kvno=1

    (You will be asked for a password twice. If you mistype, you will not receive a warning, but the keytab won't work.)

  2. Destroy any existing credentials, then try to use they keytab for Kerberos authentication:

    apprentice@host:~$ kdestroy
    apprentice@host:~$ kinit -t /tmp/keytab.krb-username krb-username ls $HOME

  3. * *  * * *  kinit -t /tmp/keytab.krb-username krb-username myscript.sh
    	

    [Warning]Warning

    You cannot do this:

    * *  * * *  kinit -t /tmp/keytab.krb-username krb-username myscript.sh < $HOME/myinput > $HOME/myoutput
    	  

    ... because if you did, cron would start a shell, arrange the redirection of stdin and stdout, and only then would it start kinit. Thus, the shell would wait for I/O forever, lacking permission, and never get to the kinit part. It doesn't matter that kinit would later proceed to get the very permission its parent is waiting for. It just never gets to that point. To make matters worse, cron would start many of these processes, and none would ever finish.

    Permission on $HOME is only available to kinit itself and its children. So you have to arrange the redirection inside myscript.sh itself.

[Warning]Warning

Although Active Directory is 'case agnostic', it may be necessary here to use the precise principal name that is in the AD LDAP. So not 'Krb-Username' if AD thinks it is 'KRB-USERNAME'.