Discussion:
[systemd-devel] Why working this on reboot but not on start up
Günther J. Niederwimmer
2014-09-30 11:24:13 UTC
Permalink
Hello,

I have a problem to run this correct, it is working on a reboot but not on
start up.

Can any help me for this Problem, Thanks.

I make a new service File for the kerberos initialisation

this is my construct is any wrong in this files?

/etc/tmpfiles.d/kinit.conf
d /run/user/0/krb5cc 1777 root root -


/etc/systemd/system/kinit.service
[Unit]
Description=Kerberos initial kinit
Wants=SuSEfirewall2_setup.service
After=SuSEfirewall2_setup.service

[Service]
Type=simple
ExecStart=/usr/bin/kinit -k host/asmtp.gjn.prv
Restart=on-failure
RestartSec=30

[Install]
WantedBy=multi-user.target


/etc/systemd/system/kinit.timer
[Unit]
Description=Fist Initialisation of KRB5

[Timer]
OnBootSec=3min

[Install]
WantedBy=timers.target


Thanks for the help.
--
mit freundlichen Grüßen / best Regards,

Günther J. Niederwimmer
Andrei Borzenkov
2014-09-30 16:38:10 UTC
Permalink
В Tue, 30 Sep 2014 13:24:13 +0200
Post by Günther J. Niederwimmer
Hello,
I have a problem to run this correct, it is working on a reboot but not on
start up.
What "does not work" means exactly?
Post by Günther J. Niederwimmer
Can any help me for this Problem, Thanks.
Without clear explanation what "working" and what "not working" is?
Unlikely.
Post by Günther J. Niederwimmer
I make a new service File for the kerberos initialisation
this is my construct is any wrong in this files?
/etc/tmpfiles.d/kinit.conf
d /run/user/0/krb5cc 1777 root root -
/etc/systemd/system/kinit.service
[Unit]
Description=Kerberos initial kinit
Wants=SuSEfirewall2_setup.service
Why Kerberos initialization *wants* firewall? I can understand After,
but I have hard time to understand Wants here.
Post by Günther J. Niederwimmer
After=SuSEfirewall2_setup.service
[Service]
Type=simple
Do you really mean it? I'd rather expect oneshot here.
Post by Günther J. Niederwimmer
ExecStart=/usr/bin/kinit -k host/asmtp.gjn.prv
Restart=on-failure
RestartSec=30
[Install]
WantedBy=multi-user.target
/etc/systemd/system/kinit.timer
[Unit]
Description=Fist Initialisation of KRB5
[Timer]
OnBootSec=3min
[Install]
WantedBy=timers.target
Why do you need to start it two times - once as normal service and
second time as timer?
Post by Günther J. Niederwimmer
Thanks for the help.
Günther J. Niederwimmer
2014-09-30 17:24:40 UTC
Permalink
Hello,
Post by Andrei Borzenkov
В Tue, 30 Sep 2014 13:24:13 +0200
Post by Günther J. Niederwimmer
Hello,
I have a problem to run this correct, it is working on a reboot but not on
start up.
What "does not work" means exactly?
Bette I say it works sometime but the most of the Time not
Post by Andrei Borzenkov
Post by Günther J. Niederwimmer
Can any help me for this Problem, Thanks.
Without clear explanation what "working" and what "not working" is?
Unlikely.
I have a 0/SUCCESS in the status but I have no Principal
Post by Andrei Borzenkov
Post by Günther J. Niederwimmer
I make a new service File for the kerberos initialisation
this is my construct is any wrong in this files?
/etc/tmpfiles.d/kinit.conf
d /run/user/0/krb5cc 1777 root root -
/etc/systemd/system/kinit.service
[Unit]
Description=Kerberos initial kinit
Wants=SuSEfirewall2_setup.service
Why Kerberos initialization *wants* firewall? I can understand After,
but I have hard time to understand Wants here.
The kerberos Server is on a other System (KVM Client)

OK I delete the Wants ;)

and change After=network.target
Post by Andrei Borzenkov
Post by Günther J. Niederwimmer
After=SuSEfirewall2_setup.service
[Service]
Type=simple
Do you really mean it? I'd rather expect oneshot here.
I have a systemd Error with oneshot
Post by Andrei Borzenkov
Post by Günther J. Niederwimmer
ExecStart=/usr/bin/kinit -k host/asmtp.gjn.prv
Restart=on-failure
RestartSec=30
[Install]
WantedBy=multi-user.target
/etc/systemd/system/kinit.timer
[Unit]
Description=Fist Initialisation of KRB5
[Timer]
OnBootSec=3min
[Install]
WantedBy=timers.target
Why do you need to start it two times - once as normal service and
second time as timer?
Normal, I like to start only with timer service.
--
mit freundlichen Grüßen / best Regards,

Günther J. Niederwimmer
Andrei Borzenkov
2014-10-01 05:38:26 UTC
Permalink
Post by Günther J. Niederwimmer
Hello,
Post by Andrei Borzenkov
В Tue, 30 Sep 2014 13:24:13 +0200
Post by Günther J. Niederwimmer
Hello,
I have a problem to run this correct, it is working on a reboot but not on
start up.
What "does not work" means exactly?
Bette I say it works sometime but the most of the Time not
Post by Andrei Borzenkov
Post by Günther J. Niederwimmer
Can any help me for this Problem, Thanks.
Without clear explanation what "working" and what "not working" is?
Unlikely.
I have a 0/SUCCESS in the status but I have no Principal
I'm confused. You mean - you have no ticket for principal, or that TGT
replies that your principal does not exist?
Post by Günther J. Niederwimmer
Post by Andrei Borzenkov
Post by Günther J. Niederwimmer
I make a new service File for the kerberos initialisation
this is my construct is any wrong in this files?
/etc/tmpfiles.d/kinit.conf
d /run/user/0/krb5cc 1777 root root -
/etc/systemd/system/kinit.service
[Unit]
Description=Kerberos initial kinit
Wants=SuSEfirewall2_setup.service
Why Kerberos initialization *wants* firewall? I can understand After,
but I have hard time to understand Wants here.
The kerberos Server is on a other System (KVM Client)
OK I delete the Wants ;)
and change After=network.target
Post by Andrei Borzenkov
Post by Günther J. Niederwimmer
After=SuSEfirewall2_setup.service
[Service]
Type=simple
Do you really mean it? I'd rather expect oneshot here.
I have a systemd Error with oneshot
Well, in both cases it looks like kinit fails to obtain a ticket. So
this is the real problem you need to debug. systemd can assist here by
capturing output of kinit for further analysis, but that's probably
all. Try asking kerberos guys how to enable verbose debugging of
kinit.
Post by Günther J. Niederwimmer
Post by Andrei Borzenkov
Post by Günther J. Niederwimmer
ExecStart=/usr/bin/kinit -k host/asmtp.gjn.prv
Restart=on-failure
RestartSec=30
[Install]
WantedBy=multi-user.target
/etc/systemd/system/kinit.timer
[Unit]
Description=Fist Initialisation of KRB5
[Timer]
OnBootSec=3min
[Install]
WantedBy=timers.target
Why do you need to start it two times - once as normal service and
second time as timer?
Normal, I like to start only with timer service.
--
mit freundlichen Grüßen / best Regards,
Günther J. Niederwimmer
_______________________________________________
systemd-devel mailing list
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Mantas Mikulėnas
2014-10-02 10:55:19 UTC
Permalink
Post by Günther J. Niederwimmer
Hello,
Post by Andrei Borzenkov
В Tue, 30 Sep 2014 13:24:13 +0200
Post by Günther J. Niederwimmer
Hello,
I have a problem to run this correct, it is working on a reboot but not on
start up.
What "does not work" means exactly?
Bette I say it works sometime but the most of the Time not
Post by Andrei Borzenkov
Post by Günther J. Niederwimmer
Can any help me for this Problem, Thanks.
Without clear explanation what "working" and what "not working" is?
Unlikely.
I have a 0/SUCCESS in the status but I have no Principal
What do you have in the system log then? Doesn't kinit output any
error messages to the journal?

Also, *where* are you looking for the tickets? Your .service unit does
not specify the cache location anywhere, so kinit might not be using
the location you expect – it might be using FILE:/tmp/krb5cc_0 or
something such.
Post by Günther J. Niederwimmer
Post by Andrei Borzenkov
Post by Günther J. Niederwimmer
After=SuSEfirewall2_setup.service
[Service]
Type=simple
Do you really mean it? I'd rather expect oneshot here.
I have a systemd Error with oneshot
What error?

Type=simple is really wrong for kinit. It would be fine for k5start.
Post by Günther J. Niederwimmer
Post by Andrei Borzenkov
Post by Günther J. Niederwimmer
ExecStart=/usr/bin/kinit -k host/asmtp.gjn.prv
Restart=on-failure
RestartSec=30
[Install]
WantedBy=multi-user.target
/etc/systemd/system/kinit.timer
[Unit]
Description=Fist Initialisation of KRB5
[Timer]
OnBootSec=3min
[Install]
WantedBy=timers.target
Why do you need to start it two times - once as normal service and
second time as timer?
Normal, I like to start only with timer service.
Then why does your .service have an [Install] section?

///

I suggest using `k5start` instead, as a regular `kinit` will just
obtain a ticket but won't do anything when it expires in a few hours.

[Unit]
After=network.target

[Service]
Type=forking
ExecStart=/usr/bin/k5start -k FILE:/tmp/krb5cc_host -L -b -K 30 -f
/etc/krb5.keytab -u host/asmtp.gjn.prv
Restart=on-failure

[Install]
WantedBy=multi-user.target
--
Mantas Mikulėnas <***@gmail.com>
Andrei Borzenkov
2014-10-02 15:41:35 UTC
Permalink
В Thu, 2 Oct 2014 13:55:19 +0300
Post by Mantas Mikulėnas
Post by Günther J. Niederwimmer
Hello,
Post by Andrei Borzenkov
В Tue, 30 Sep 2014 13:24:13 +0200
Post by Günther J. Niederwimmer
Hello,
I have a problem to run this correct, it is working on a reboot but not on
start up.
What "does not work" means exactly?
Bette I say it works sometime but the most of the Time not
Post by Andrei Borzenkov
Post by Günther J. Niederwimmer
Can any help me for this Problem, Thanks.
Without clear explanation what "working" and what "not working" is?
Unlikely.
I have a 0/SUCCESS in the status but I have no Principal
What do you have in the system log then? Doesn't kinit output any
error messages to the journal?
Also, *where* are you looking for the tickets? Your .service unit does
not specify the cache location anywhere, so kinit might not be using
the location you expect – it might be using FILE:/tmp/krb5cc_0 or
something such.
It is openSUSE so tickets go into /run/user/<uid>/something-I-forgot

And yes, this turned out to be a problem for services started by root
because this directory does not yet exist.
Post by Mantas Mikulėnas
Post by Günther J. Niederwimmer
Post by Andrei Borzenkov
Post by Günther J. Niederwimmer
After=SuSEfirewall2_setup.service
[Service]
Type=simple
Do you really mean it? I'd rather expect oneshot here.
I have a systemd Error with oneshot
What error?
Type=simple is really wrong for kinit. It would be fine for k5start.
Post by Günther J. Niederwimmer
Post by Andrei Borzenkov
Post by Günther J. Niederwimmer
ExecStart=/usr/bin/kinit -k host/asmtp.gjn.prv
Restart=on-failure
RestartSec=30
[Install]
WantedBy=multi-user.target
/etc/systemd/system/kinit.timer
[Unit]
Description=Fist Initialisation of KRB5
[Timer]
OnBootSec=3min
[Install]
WantedBy=timers.target
Why do you need to start it two times - once as normal service and
second time as timer?
Normal, I like to start only with timer service.
Then why does your .service have an [Install] section?
///
I suggest using `k5start` instead, as a regular `kinit` will just
obtain a ticket but won't do anything when it expires in a few hours.
[Unit]
After=network.target
[Service]
Type=forking
ExecStart=/usr/bin/k5start -k FILE:/tmp/krb5cc_host -L -b -K 30 -f
/etc/krb5.keytab -u host/asmtp.gjn.prv
Restart=on-failure
[Install]
WantedBy=multi-user.target
Lennart Poettering
2014-10-02 10:16:49 UTC
Permalink
Post by Günther J. Niederwimmer
Hello,
I have a problem to run this correct, it is working on a reboot but not on
start up.
Can any help me for this Problem, Thanks.
I make a new service File for the kerberos initialisation
this is my construct is any wrong in this files?
/etc/tmpfiles.d/kinit.conf
d /run/user/0/krb5cc 1777 root root -
This won't work. We nowadays mount /run/user/$UID as a tmpfs at the
time of first login of a user, and unmount it at time of last
logout. Creating a dir in that directory will hence have little effect
during runtime, as it will be overmounted as you log in.

Lennart
--
Lennart Poettering, Red Hat
Günther J. Niederwimmer
2014-10-02 10:34:52 UTC
Permalink
Hello Profis.

Thank's for the answer.
Post by Lennart Poettering
Post by Günther J. Niederwimmer
Hello,
I have a problem to run this correct, it is working on a reboot but not on
start up.
Can any help me for this Problem, Thanks.
I make a new service File for the kerberos initialisation
this is my construct is any wrong in this files?
/etc/tmpfiles.d/kinit.conf
d /run/user/0/krb5cc 1777 root root -
This won't work. We nowadays mount /run/user/$UID as a tmpfs at the
time of first login of a user, and unmount it at time of last
logout. Creating a dir in that directory will hence have little effect
during runtime, as it will be overmounted as you log in.
Is it possible to test if the file / link exist ("/run/user/0/krb5cc/tkt") with
systemd and restart when not.

now I found a way to start kinit on the KVM Clients but not on the Host :(.

google don't help
--
mit freundlichen Grüßen / best Regards,

Günther J. Niederwimmer
Lennart Poettering
2014-10-02 10:38:42 UTC
Permalink
Post by Günther J. Niederwimmer
Hello Profis.
Thank's for the answer.
Post by Lennart Poettering
Post by Günther J. Niederwimmer
Hello,
I have a problem to run this correct, it is working on a reboot but not on
start up.
Can any help me for this Problem, Thanks.
I make a new service File for the kerberos initialisation
this is my construct is any wrong in this files?
/etc/tmpfiles.d/kinit.conf
d /run/user/0/krb5cc 1777 root root -
This won't work. We nowadays mount /run/user/$UID as a tmpfs at the
time of first login of a user, and unmount it at time of last
logout. Creating a dir in that directory will hence have little effect
during runtime, as it will be overmounted as you log in.
Is it possible to test if the file / link exist ("/run/user/0/krb5cc/tkt") with
systemd and restart when not.
No, this is not available.
Post by Günther J. Niederwimmer
now I found a way to start kinit on the KVM Clients but not on the Host :(.
Note that this won't work at all with more recent krb versions as they
nowadays use the kernel user keyring to store the tickets in...

But anyway, I am no kerberos guru, I am not sure I grok what you are
trying to do.

Lennart
--
Lennart Poettering, Red Hat
Mantas Mikulėnas
2014-10-02 10:48:00 UTC
Permalink
On Thu, Oct 2, 2014 at 1:38 PM, Lennart Poettering
Post by Lennart Poettering
Note that this won't work at all with more recent krb versions as they
nowadays use the kernel user keyring to store the tickets in...
It will work just fine; the DIR: and FILE: cache types aren't going to
be removed any time soon. (Using KEYRING: as the default location
seems to be Fedora-specific too; I have 1.12.2 on Arch and it still
defaults to FILE:.)

And Günther's service is meant to obtain *host* credentials, where one
of DIR: or FILE: is pretty much a requirement anyway (used by e.g.
mounting NFS/CIFS shares on boot) – unless I missed something,
`rpc.gssd` still only looks for FILE:/tmp/krb5cc_$UID and
DIR:/run/user/$UID/krb5cc...
--
Mantas Mikulėnas <***@gmail.com>
Günther J. Niederwimmer
2014-10-02 10:53:45 UTC
Permalink
Hello,
Post by Lennart Poettering
Post by Günther J. Niederwimmer
Post by Lennart Poettering
Post by Günther J. Niederwimmer
this is my construct is any wrong in this files?
/etc/tmpfiles.d/kinit.conf
d /run/user/0/krb5cc 1777 root root -
This won't work. We nowadays mount /run/user/$UID as a tmpfs at the
time of first login of a user, and unmount it at time of last
logout. Creating a dir in that directory will hence have little effect
during runtime, as it will be overmounted as you log in.
Is it possible to test if the file / link exist ("/run/user/0/krb5cc/tkt")
with systemd and restart when not.
No, this is not available.
Post by Günther J. Niederwimmer
now I found a way to start kinit on the KVM Clients but not on the Host :(.
Note that this won't work at all with more recent krb versions as they
nowadays use the kernel user keyring to store the tickets in...
But anyway, I am no kerberos guru, I am not sure I grok what you are
trying to do.
I like only to do after reboot or start a kinit -k host/...............
with a timer. on the the KVM-Host the kerberos server is a KVM-client.

I have with sytemctl status kinit a 0/SUCCSESS but no "tkt" file

Thats all :-(.

On a older system I make it with crons extra character "@reboot" but this is
no longer working. I can't say way ?
--
mit freundlichen Grüßen / best Regards,

Günther J. Niederwimmer
Andrei Borzenkov
2014-10-02 15:47:46 UTC
Permalink
В Thu, 02 Oct 2014 12:53:45 +0200
Post by Günther J. Niederwimmer
Hello,
Post by Lennart Poettering
Post by Günther J. Niederwimmer
Post by Lennart Poettering
Post by Günther J. Niederwimmer
this is my construct is any wrong in this files?
/etc/tmpfiles.d/kinit.conf
d /run/user/0/krb5cc 1777 root root -
This won't work. We nowadays mount /run/user/$UID as a tmpfs at the
time of first login of a user, and unmount it at time of last
logout. Creating a dir in that directory will hence have little effect
during runtime, as it will be overmounted as you log in.
Is it possible to test if the file / link exist ("/run/user/0/krb5cc/tkt")
with systemd and restart when not.
Start with redefining kerberos cache to be somewhere else, in a
directory that is known to exist. Like /tmp :)
Post by Günther J. Niederwimmer
Post by Lennart Poettering
No, this is not available.
Post by Günther J. Niederwimmer
now I found a way to start kinit on the KVM Clients but not on the Host :(.
Note that this won't work at all with more recent krb versions as they
nowadays use the kernel user keyring to store the tickets in...
But anyway, I am no kerberos guru, I am not sure I grok what you are
trying to do.
I like only to do after reboot or start a kinit -k host/...............
with a timer. on the the KVM-Host the kerberos server is a KVM-client.
I have with sytemctl status kinit a 0/SUCCSESS but no "tkt" file
And couple of posts before you said you had an ERROR ...

How do you check whether tkt file exists? Heck, add ExecStartPost
which does "ls -lr /run/user/0" which at least will prove that this
file existed right after kinit completed. Or not ...
Post by Günther J. Niederwimmer
Thats all :-(.
no longer working. I can't say way ?
Loading...