[Freeipa-users] ipa and cronjob

Wed Nov 14 03:53:19 UTC 2012

On Tuesday, November 13, 2012 02:10:44 PM george he wrote:
> I have a cronjob run daily by an ipa user, which accesses nfs mounted data
> on the nfs server (another machine in the realm). The problem is when the
> user was away for a few days, his credential expired and the cronjob did
> not run until he came back and logged on to the system again. Then all
> halted cronjob from the past days started to run, which is not desired
> because all of them were doing the same thing. My question is: Can we keep
> the cronjob running when the user's credential is expired? If we cannot,
> then can we skip or kill all of the old cronjobs but not the most recent
> one?

This may not be exactly what you're looking for, but it might get you started.  
I have a Kerberized NFSv4 setup with F17 machines here, two of which are used 
only as MythTV frontend/backend machines.  For each of these, I wanted 
NFSv4/Kerberos mounted home directories with autologin AND the ability for the 
frontend/backend machines to potentially stay on for more than 24 hours so I 
do the following:

1. Using automatic login with the lightdm display manager, I have it run the 
following script to remove any old Kerberos ccaches, then obtain a new ticket 
on behalf of the user, and set the appropriate permissions and SELinux 
context.  Note that in this case, I echo the password to kinit -- If I 
exported a keytab, I would not be able to manually login with a known password 
if there were a problem.

#!/bin/bash
#
USERNAME="user1"
USERID="$(/usr/bin/id -u $USERNAME)"
PASSWORD="super_secret_password"
export KRB5CCNAME="FILE:/tmp/krb5cc_${USERID}"
/usr/bin/kdestroy -A -c ${KRB5CCNAME}
/usr/bin/echo "${PASSWORD}" | /usr/bin/kinit -r 604800s \
  -c ${KRB5CCNAME##*:} ${USERNAME}
/bin/chown ${USERNAME}:${USERNAME} ${KRB5CCNAME##*:}
/usr/bin/chcon -t user_tmp_t ${KRB5CCNAME##*:}

2. I run the following user-specific cron job (/var/spool/cron/user1)

# For MythTV frontend hosts requiring access to NFSv4 filesystems exported
# with Kerberos v5, renew the Kerberos v5 ticket for the MythTV frontend user.
MAILTO=root
15 */4 * * *    /usr/bin/kinit -R

I'm guessing that if your user is an actual user, you may be able to do 
something similar by ensuring that a renewable ticket was requested in the 
first place, then issuing the cron task every so often.

I tried using the auto-renewal option of SSSD, but that didn't seem to work 
for me.  I didn't investigate why not, but I'm guessing it has something to do 
with how a "user" logs in in the first place.  My MythTV backend user, for 
example, never actually logs in, but still needs Kerberos credentials to 
access NFSv4 filesystems.

Now this will probably all change a bit in F18 with the switch to Kerberos DIR 
ccaches placed under the /run/user/$UID portion of the filesystem, which is 
not retained across reboots:

http://fedoraproject.org/wiki/Features/KRB5DirCache
http://fedoraproject.org/wiki/Features/KRB5CacheMove

I hope this helps in some small way.  Also, if others have better ideas, I'd 
love to hear them too!

-A

-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20121113/852f1caa/attachment.sig>