Using a keytab file to automate cron jobs needing kerberos credentials

Create a keytab file (see Related Articles), then use the k5start tool to gain and keep (as long as needed) the credential, until the specified program has completed.

e.g. hourly run "myscript", as service account "d123abc"

 0 * * * * /usr/bin/k5start -f /usr/local/d123abc/private/key -- d123abc@KIEWIT.DARTMOUTH.EDU sh -c '/dartfs-hpc/rc/home/..../myscript args'

The path to the keytab (e.g. /usr/local/d123abc/private/key) must be accessible to the account running the cron job, not in kerberized storage, and should be readable only by that account.   Everything passed in quotes to "sh -c" is the script to run, which can live in kerberized space and reference files in kerberized space.

If the script itself lives in local, non-kerberized space, then the cron job has no special syntax, but the script must run either k5start or kinit to get a credential before doing anything that references kerberized storage.



Article ID: 94843
Fri 12/20/19 3:19 PM
Mon 2/3/20 4:17 PM