Support Questions

Find answers, ask questions, and share your expertise
Celebrating as our community reaches 100,000 members! Thank you!

Kerberos ticket error in a cron job


I have a script that should run in a cron job and should be authenticated with hdfs user through kerberos.

To run the script outside the cron job, from the shell, I execute the following commands:

sudo -i
kinit -V -k -t /etc/security/keytabs/hdfs.headless.keytab hdfs

The above commands execute as I needed them to. However, when I call the same set of commands in a cron job, I get the following error GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)]

I get the same error if I tried to run the same commands from the shell but not through (Using my current user) the root as below

sudo kinit -V -k -t /etc/security/keytabs/hdfs.headless.keytab hdfs #works fine
sudo callMyScriptWithParams #throw the error

I tried to create several versions of the cron job, one of them is below (Runs every three minutes for testing purposes)

*/3 * * * * root sudo -i; kinit -V -kt /etc/security/keytabs/hdfs.headless.keytab hdfs; klist; callMyScriptWithParams; klist

I am calling 'klist' to check that I am getting the correct ticket. Klist returen the hdfs user ticket before and after calling my script. Since I have a valid ticket, I am not sure why am I getting the above error. Below is the output when I obtain the ticket:

Using default cache: /run/user/krb5cc/krb5cc_0
Using principal: hdfs@MyRealm
Using keytab: /etc/security/keytabs/hdfs.headless.keytab
Authenticated to Kerberos v5

and this is an example of a retrieved ticket from 'klist'

Ticket cache: FILE:/run/user/krb5cc/krb5cc_0
Default principal: hdfs@MyRealm

Valid starting       Expires              Service principal
10/17/2016 15:12:01  10/18/2016 15:12:01  krbtgt/MyRealm@MyRealm

If I am retrieving a valid ticket before and after calling myscript, then why am I getting 'Failed to find any Kerberos tgt' error when I call the script? specially that I called the same commands outside the cron job and they worked fine.

P.S. I tried to cron job without the 'sudo -i' as well but I am still getting the same error.


Expert Contributor

Please check if the user running the cron job has permission to read keytab file.

Following is a relevant post that can help you further.


The user does have permission, when I run klist before and after calling my script I find a valid ticket which means that the cron job was able read the keytab file. I used the link to be able to call multiple commands in the same cron job line. It still does not explain why am I having this error I am afraid 😞


There might be the possible below cause.


1. If the script is running fine manually from your user, then maybe a problem with the binary path.  Export the kinit binary path in the script.


export PATH="/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/java/latest/bin:/usr/java/latest/jre/bin:/root/bin:/bin"


2. check the permission for the key tab file and the RWX permission for the user

3. If the above solution not works try to add the ticket generation command separately in corn  for every 10 min and test the script.

*/10 * * * * kinit -kt /root/user.keytab user@PROD.EDH