One more thing, I had to go back to su and it works correctly. I can
successfully su to a different user and access the new home directory
without any problems but I'm keen to use ksu as all services on my
cluster have been moved to Kerberos. To clarify, to be able to access the home 
directory, the user must have a valid ticket in the target user's cache. What 
exactly happens is all tickets are saved in the source user's cache which is 
not readable by the target user. This is why it fails to mount the home 
directory, please advice. Again, this is only happening with ksu 

> From: [EMAIL PROTECTED]
> To: kerberos@mit.edu
> Subject: ksu sets the wrong permissions on the cache file!
> Date: Sun, 6 Jan 2008 10:20:06 +0200
> 
> 
> When I log in as user1 and then tries to ksu to user2, the cache is owned by 
> user1! user2 has no access at all, even no read access! The cache file is not 
> on the normal form /tmp/krb5cc_uid, instead it is /tmp/krb5cc_uid.1 (an 
> integer is appended)
> 
> I'm using NFS4 & Kerberos and both are working fine when I login or SSH but 
> not when I ksu. I checked the log and here is what I found:.
> Jan  6 09:36:00 ia714204 rpc.gssd[4968]: doing error downcall
> Jan  6 09:36:00 ia714204 rpc.gssd[4968]: handling krb5 upcall
> Jan  6 09:36:00 ia714204 rpc.gssd[4968]: getting credentials for client with 
> uid 1002 for server [EMAIL PROTECTED]
> Jan  6 09:36:00 ia714204 rpc.gssd[4968]: using FILE:/tmp/krb5cc_1002 as 
> credentials cache for client with uid 1002 for server [EMAIL PROTECTED]
> Jan  6 09:36:00 ia714204 rpc.gssd[4968]: using environment variable to select 
> krb5 ccache FILE:/tmp/krb5cc_1002
> Jan  6 09:36:00 ia714204 rpc.gssd[4968]: creating context using fsuid 1002 
> (save_uid 0)
> Jan  6 09:36:00 ia714204 rpc.gssd[4968]: ERROR: GSS-API: error in 
> gss_acquire_cred(): Miscellaneous failure - Unknown code krb5 195
> Jan  6 09:36:00 ia714204 rpc.gssd[4968]: WARNING: Failed while limiting krb5 
> encryption types for user with uid 1002
> Jan  6 09:36:00 ia714204 rpc.gssd[4968]: WARNING: Failed to create krb5 
> context for user with uid 1002 for server [EMAIL PROTECTED]
> 
> Kerberos 195 means no credential cache found; I could not found any 
> /tmp/krb5cc_1002 but I found tmp/krb5cc_1002.1 which is not readable by uid 
> 1002
> I need ksu to get a TGT for the target user and place it in the target user's 
> cache, is this possible?
> 
> 
> 
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to