Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Kerberos: is KINIT once-only?

 

Kerberos: is KINIT once-only?

Hello wizards,

Not sure whether this question belongs in "networking" or "security", it might touch both areas. Please move if deemed necessary.

I am installing CIFS (Samba) for OpenVMS on a DS20 running OpenVMS V8.3, and in the course of doing so, I want to join an existing active directory domain. Everything went smooth up to the point where I am supposed to verify my Kerberos setup by requesting a ticket using the "kinit" command: I can run the command and obtain a ticket, but this works only once per user process. If I "kdestroy" the ticket and then try to obtain another one, the kinit command seems to loop indefinitely. Here's a log:

$ kinit afreiherr
Password for afreiherr@EU.VISHAYINT.COM:
$ klist
Ticket cache: FILE:krb$user:[tmp]krb5cc_65540
Default principal: afreiherr@EU.VISHAYINT.COM

Valid starting Expires Service principal
03/19/09 11:33:45 03/19/09 21:33:47 krbtgt/EU.VISHAYINT.COM@EU.VISHAYINT.COM
renew until 03/20/09 11:33:45


Kerberos 4 ticket cache: krb$user:[tmp]k4_tkt_cache65540
KRB$KLIST: You have no tickets cached
$ kdestroy
$ klist
KRB$KLIST: No credentials cache found (ticket cache FILE:krb$user:[tmp]krb5cc_65540)



Kerberos 4 ticket cache: krb$user:[tmp]k4_tkt_cache65540
KRB$KLIST: You have no tickets cached
$ kinit afreiherr
Password for afreiherr@EU.VISHAYINT.COM:
VMHN04::_RTA2: 11:34:35 KRB$KINIT CPU=00:00:00.75 PF=2100 IO=1292 MEM=445
VMHN04::_RTA2: 11:34:36 KRB$KINIT CPU=00:00:00.82 PF=2100 IO=4001 MEM=445
VMHN04::_RTA2: 11:34:37 KRB$KINIT CPU=00:00:01.55 PF=2100 IO=26121 MEM=445
VMHN04::_RTA2: 11:34:38 KRB$KINIT CPU=00:00:02.28 PF=2100 IO=46293 MEM=445
VMHN04::_RTA2: 11:34:39 KRB$KINIT CPU=00:00:03.15 PF=2100 IO=70329 MEM=445
Interrupt

$ exit
$ klist
KRB$KLIST: No credentials cache found (ticket cache FILE:krb$user:[tmp]krb5cc_65540)



Kerberos 4 ticket cache: krb$user:[tmp]k4_tkt_cache65540
KRB$KLIST: You have no tickets cached
$

Note that the IO count, as displayed by Control-T, increases rapidly in the second kinit command. Any third and subsequent kinit (mis)behaves like the second one above.

The first kinit succeeds and returns within split-seconds, so I think the configuration might be close enough. Since there is no error message from the second attempt, I am lost without any hints or keywords to search for.

I found that logging out and back in allows me to obtain another, single ticket by issuing one more kinit. In contrast, shutting down Kerberos and restarting it (KRB$SHUTDOWN.COM / KRB$STARTUP.COM) without logging out/in does NOT give me another chance.

Has anybody seen this before? Any explanation, or even hints on how to fix it?