ITEM: CM4898L
kerberos ticket that will never expire for a non-root user
Question:
If paging caller to call 800-CALLAIX, add
last 4 digits of xmenu item \#.
temp: 590-5229tl
rs6000/ 9076
wants a kerberos ticket that will never expir. for informix ,
if they cannot how to script the creation of a new ticket
customer would like if you could leave the answer on his vm
at tl 590-5229
Response:
ENV:
PSSP-2.1, Model 9076, AIX 4.1.3
CUSTOMER REP:
Jesse Adams
PROBLEM:
Customer restored CWS from old backup and kerberos DB has
changed.
ACTION TAKEN:
Sending rebuild kerberos fax.
ACTION PLAN:
CWCA
TEST CASE:
n/a
Response:
Closing with Customer Approval
Response:
Response:
ENV: AIX 4.1, PSSP 2.x
model 9076
CUSTOMER REP: Jesse
PROBLEM: Jesse has a customer who run Informix which requires
a kerberos user by the name of informix. The customer
has trouble remembering to kinit as the informix user
every 30 days. Hence, every 30 days the database
crashes hard. The customer wants a ticket that will last
forever, even if this involves writing a script or
a C program that runs every night in cron.
ACTION TAKEN: Jesse understands that this is not the design of
Kerberos. We tried a few things with some shell scripting
but it appears kinit may not let you pass a password to
to it.
ACTION PLAN: Will get with backend and to see if this would
be possible. If we can not come up with a solution
Jesse wants this call escalated to POK.
. FUP 3/4 and page him with the last four digits of the
item.
TEST CASE: n/a
Response:
CUSTOMER REP: Jesse
ACTION TAKEN: Did some testing with Todd and this is what we found
the following script in root's crontab would work. Keep
in mind this is a BIG SECURITY HOLE.
.\#!/bin/ksh
/usr/lpp/ssp/rcmd/bin/rcmdtgt
mv /tmp/tkt0 /tmp/tkt203
chmod 755 /tmp/tkt203
chown mickster:staff /tmp/tkt203
.ACTION PLAN: Will call Jesse tomorrow and tell him.
Response:
CUSTOMER REP: Jesse Adams
ACTION TAKEN: Paged customer
ACTION PLAN: Awaiting call back.
Response:
Response:
CUSTOMER REP: Jesse
ACTION TAKEN: Spoke with Jesse and I will email Jesse the following
to jiadams@vnet.ibm.com
.Jesse,
Here's the script to be placed in root's crontab file. What this
script does is root obtains a never ending ticket and moves it
over to the informix id (id=203 in this example). Once the
permissions and ownership are modified on the ticket informix
now has a never ending ticket. The ticket obtained by rcmdtgt
will only grant informix the ability to use the rcmd commands. It
will not allow him to access hardmon and spmon.
.\#!/bin/ksh
/usr/lpp/ssp/rcmd/bin/rcmdtgt
mv /tmp/tkt0 /tmp/tkt203
chmod 755 /tmp/tkt203
chown mickster:staff /tmp/tkt203
.ACTION PLAN: none, closing call.
Response:
Response:
CUSTOMER REP: Jesse Adams
ACTION TAKEN: Resent email to Jesse, mailed it to his ov/vm account.
Left vm at his t/l 590-5229.
ACTION PLAN: Will follow up with Jesse 3/5.
Response:
CUSTOMER REP: Jesse
ACTION TAKEN: paged caller
ACTION PLAN: awaiting call back, did he receive my mail?
Response:
Response:
CUSTOMER REP: Jesse
ACTION TAKEN: Jesse had not logged on today to see if he had
received the email yet.
ACTION PLAN: He will check his mail and call back if he does
not receive the mail.
Support Line: kerberos ticket that will never expire for a non-root user ITEM: CM4898L
Dated: May 1997 Category: N/A
This HTML file was generated 99/06/24~13:30:17
Comments or suggestions?
Contact us