Detecting IBM's kinit failure

A forum for discussing DataStage<sup>®</sup> basics. If you're not sure where your question goes, start here.

Moderators: chulett, rschirm, roy

Post Reply
rkashyap
Premium Member
Premium Member
Posts: 532
Joined: Fri Dec 02, 2011 12:02 pm
Location: Richmond VA

Detecting IBM's kinit failure

Post by rkashyap »

IBM's latest JDK is installed on DataStage server.

IBM's kinit is being used to generate kerberos ticket. This command generates a ticket for a limited time period and subsequently it needs to be renewed.

We are invoking the command thru a scheduler to renew the ticket. Return code from this command is "0", both in failure and success!

Code: Select all

$ /opt/IBM/InformationServer/jdk/jre/bin/java -version
java version "1.7.0"
Java(TM) SE Runtime Environment (build pxa6470_27sr4fp5-20170421_02(SR4 FP5))
IBM J9 VM (build 2.7, JRE 1.7.0 Linux amd64-64 Compressed References 20170406_343211 (JIT enabled, AOT enabled)
J9VM - R27_Java727_SR4_20170406_2107_B343211
JIT  - tr.r13.java_20170406_343211
GC   - R27_Java727_SR4_20170406_2107_B343211_CMPRSS
J9CL - 20170406_343211)
JCL - 20170420_01 based on Oracle jdk7u141-b11

$  /opt/IBM/InformationServer/jdk/jre/bin/kinit -k -t /opt/IBM/InformationServer/Server/DSEngine/XXXXX.keytab XXXXX@DOMAINNM.COM -c FILE:/tmp/krb5cc_203
com.ibm.security.krb5.KrbException, status code: 25
        message: Additional pre-authentication required
$ echo $?
0

$  /opt/IBM/InformationServer/jdk/jre/bin/kinit -fail uyhyuy
com.ibm.security.krb5.KrbException, status code: 6
        message: Client not found in Kerberos database
$ echo $?
0
In order to detect failure, we are planning to wrap the kinit command in a script and parse the return message for a bad status code. :-(

Can you please share your thoughts/suggestions.
chulett
Charter Member
Charter Member
Posts: 43085
Joined: Tue Nov 12, 2002 4:34 pm
Location: Denver, CO

Post by chulett »

I'm going to assume, based on nothing but experience with other tools that did this, is that your 0 return code simply means the command was syntactically correct and thus ran without blowing up. Did you try passing it invalid syntax? Guessing you'll only see your non-zero return code then.

And in those cases, I've always had to parse out the result from messages like you are getting here and as you are already planning to do.
-craig

"You can never have too many knives" -- Logan Nine Fingers
rkashyap
Premium Member
Premium Member
Posts: 532
Joined: Fri Dec 02, 2011 12:02 pm
Location: Richmond VA

Post by rkashyap »

Thank you. IBM's kinit gives RC of "0" with bad syntax also, though default kinit works ok ...

Code: Select all

$ /opt/IBM/InformationServer/jdk/jre/bin/kinit  -~ oij
com.ibm.security.krb5.KrbException, status code: 6
        message: Client not found in Kerberos database
$ echo $?
0

$ /usr/bin/kinit  -~ oij
/usr/bin/kinit: invalid option -- '~'
Usage: kinit [-V] [-l lifetime] [-s start_time] 
.
.
.
$ echo $?
2
Apparently this bug used to impact all flavors of kinit. It was reported in 2002 and fixed in version 1.4.2. :)
Post Reply