Greetings all, I sent the following message to amanda-users before my subscription was accepted. I don't see it in the archives so I'm resending although I have some updates at the end.
Original message-- After a long day of troubleshooting the amcheck message "WARNING: <hostname>: selfcheck request failed: <hostname>: could not get TGT: error initializing ccache: Internal credentials cache error", I discovered (by "strace"ing amcheck) that the kerberos credential cache was being written to /tmp/krb5cc_0, but this file already existed and was readable and writeable only by root:root. I deleted root's kerberos ccache and reran amcheck and the program still wanted to use tmp/krb5cc_0, but it set the file's ownership to backup:backup. amcheck then gave me a different error message: "WARNING: <hostname>: selfcheck request failed: EOF in gss loop". Is this a problem with my kerberos config, amanda, or with the MIT kerberos libraries? Could the setuid nature of amcheck be confusing the krb5_cc_* code in libkrb5? Details: Ubuntu 8.10 Amanda 3.1.0 libkrb53 1.6.dfsg.3~beta1-2ubuntu1.5 running "kinit -kt /etc/amanda/krb5.keytab amanda/backupser...@realm" as the backup user works. Running "kvno amanda/backupser...@realm" on the client works, so it seems that my kerberos setup is all good. I realize I could figure out if this is a problem with libkrb5 and not amanda specificly by learning my way around the krb5 library and writing a simple setuid kerberos program, but I thought someone on amanda-users might have seen this before and could lend some pointers. Updates-- After another day of troubleshooting I think I found the problem. Running 'strings /usr/lib/amanda/libamanda-3.1.0.so | grep amanda_ccache' shows 'KRB5_ENV_CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. This should be 'KRB5CCNAME=FILE:/tmp/amanda_ccache.%ld.%ld'. I see '#define KRB5_ENV_CCNAME "KRB5CCNAME"' in 'krb5-security.c', however. Does the preprocessor still ignore substituting inside string literals? That would explain why the substitution isn't happening in krb5_init(). I am still having the 'EOF in gss loop' error however. Many thanks, Tim Nowaczyk -- Timothy Nowaczyk Network Systems Engineer University of Virginia - ITC ta...@virginia.edu
