[28968] in Kerberos
ksu sets the wrong permissions on the cache file!
daemon@ATHENA.MIT.EDU (Amir Saad)
Sun Jan 6 03:20:53 2008
Message-ID: <BAY124-W58F5C4B227549F166C58A8B44E0@phx.gbl>
From: Amir Saad <eng__amir@hotmail.com>
To: Kerberos <kerberos@mit.edu>
Date: Sun, 6 Jan 2008 10:20:06 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
When I log in as user1 and then tries to ksu to user2, the cache is owned by user1! user2 has no access at all, even no read access! The cache file is not on the normal form /tmp/krb5cc_uid, instead it is /tmp/krb5cc_uid.1 (an integer is appended)
I'm using NFS4 & Kerberos and both are working fine when I login or SSH but not when I ksu. I checked the log and here is what I found:.
Jan 6 09:36:00 ia714204 rpc.gssd[4968]: doing error downcall
Jan 6 09:36:00 ia714204 rpc.gssd[4968]: handling krb5 upcall
Jan 6 09:36:00 ia714204 rpc.gssd[4968]: getting credentials for client with uid 1002 for server machine@DOMAIN
Jan 6 09:36:00 ia714204 rpc.gssd[4968]: using FILE:/tmp/krb5cc_1002 as credentials cache for client with uid 1002 for server machine@DOMAIN
Jan 6 09:36:00 ia714204 rpc.gssd[4968]: using environment variable to select krb5 ccache FILE:/tmp/krb5cc_1002
Jan 6 09:36:00 ia714204 rpc.gssd[4968]: creating context using fsuid 1002 (save_uid 0)
Jan 6 09:36:00 ia714204 rpc.gssd[4968]: ERROR: GSS-API: error in gss_acquire_cred(): Miscellaneous failure - Unknown code krb5 195
Jan 6 09:36:00 ia714204 rpc.gssd[4968]: WARNING: Failed while limiting krb5 encryption types for user with uid 1002
Jan 6 09:36:00 ia714204 rpc.gssd[4968]: WARNING: Failed to create krb5 context for user with uid 1002 for server machine@DOMAIN
Kerberos 195 means no credential cache found; I could not found any /tmp/krb5cc_1002 but I found tmp/krb5cc_1002.1 which is not readable by uid 1002
I need ksu to get a TGT for the target user and place it in the target user's cache, is this possible?
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
