[39326] in Kerberos
Re: Questions Regarding User Tokens
daemon@ATHENA.MIT.EDU (John Joshua Gutierrez)
Fri Dec 8 01:17:08 2023
MIME-Version: 1.0
In-Reply-To: <202312080043.3B80hh1r007744@hedwig.cmf.nrl.navy.mil>
From: John Joshua Gutierrez <jjg9803@gmail.com>
Date: Thu, 7 Dec 2023 17:18:53 -0800
Message-ID: <CAP2Q0J58Dc0Qo3+xnk4mm=Dz_-ETWBoi6aGdUK6fbpDycWhE5A@mail.gmail.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi Ken,
Thank you so much for the fast reply! I will try my best to get through the
tips you've given me and hopefully I fix something.
1. For the kinit -l and -r, I will get started on changing everything to be
the same thing. When I finish, I will email back to you if I was successful
and if not I will send screenshots of the configs.
2. For the time problem, I just finished syncing all the machines to one
local NTP Server. I am using chronyd and we are running Rocky Linux 8.
Hopefully that fixes that problem.
3. Yes, we unfortunately are using a scheduler and its SLURM. Would this
question now go to SLURM Developers or still to Kerberos or both?
Best,
John
On Thu, Dec 7, 2023 at 4:43 PM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
> > - How do we extend ticket lifetime to 14 days?
> > - We have tried to set the ticket lifetime to 14 days in krb5.conf
> > [realm] but it caps out to one day
>
> First, assuming you're talking about the "ticket_lifetime" parameter,
> that actually goes in the [libdefaults] stanza. You can also specify the
> lifetime parameter on the command line to kinit using the "-l" option
> and that might be the most useful to start out during testing.
>
> Where you're probably running into issues is that the ticket lifetime
> is the MINIMUM of: the requested lifetime (via the -l option or the
> ticket_lifetime parameter), the maximum lifetime set on the client
> principal, and the maximum lifetime set on the service principal. So
> you need to modify the maximum lifetime on all of your clients AND
> all of your services. You can do this with the "modprinc -maxlife"
> command inside of kadmin. To even test this out with one user you'd
> need to change that user's maximum lifetime AND the lifetime of the TGS
> principal (krbtgt/REALM@REALM).
>
> > - How do we extend renewable ticket lifetime to 30 days?
> > - We set the variable to 30 days but it only caps out to 14 days.
>
> See above, the same rules apply (with the exception that you're use
> the "-maxrenewlife" option to modprinc).
>
> > - Kinit would sometimes give us an expiration date from the past
>
> That maybe sounds like a clock synchronization problem? If you could
> give us details there, might be helpful.
>
> > - Kinit needs to be done on every single node you want to use. If, no
> > kinit then no access to NFS home directory.
>
> Normally this is done at login time automatically, and when you log into
> a remote system Kerberos tickets are forwarded.
>
> If you are using a batch processing system then that is trickier; there
> are some tricks there, but none of them are great if you don't have
> a Kerberos aware queueing system.
>
> --Ken
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
