[20050] in Athena Bugs
Re: Long job support needed
daemon@ATHENA.MIT.EDU (Thomas E Cavin)
Thu Dec 6 11:08:33 2001
From: Thomas E Cavin <cavin@MIT.EDU>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15375.38907.97519.275964@lap1-wccf.mit.edu>
Date: Thu, 6 Dec 2001 11:08:27 -0500
To: Garry Zacheiss <zacheiss@mit.edu>
Cc: Thomas E Cavin <cavin@mit.edu>, Athena Bugs list <bugs@mit.edu>
In-Reply-To: <200112060007.TAA25816@brad-majors.mit.edu>
Hi Garry,
That should be more than good enough for this application. Thanks.
I do have a question on the implementation details, though. I just tried
to do a "kinit -R" on my initial login session and got these results:
$ klist
Ticket cache: /tmp/krb5cc_pts_0
Default principal: cavin@ATHENA.MIT.EDU
Valid starting Expires Service principal
12/06/01 10:19:30 12/06/01 20:19:29 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
...
$ kinit -R
kinit: KDC can't fulfill requested option while getting initial credentials
Yet when I login to a remote Athena host (passing the tickets), destroy
those tickets, and get a new set using the "l" and "r" options, it works as
expected. (See below.)
Is there something different about the original ticket or the default
parameters that prevent the "kinit -R" from working? (And for reference,
what are the default parameters to kinit and where could I find the actual
limits on ticket lifetimes?)
Thanks,
--Tom
Trials on Yoda-WCCF (remote host)
$ klist
Ticket cache: /tmp/krb5cc_p24880
Default principal: cavin@ATHENA.MIT.EDU
Valid starting Expires Service principal
12/06/01 10:44:07 12/06/01 20:19:29 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
...
$ kinit -R
kinit: KDC can't fulfill requested option while getting initial credentials
$ kdestroy
$ kinit -l 3m -r 1h $USER
Password for cavin@ATHENA.MIT.EDU:
$ klist
Ticket cache: /tmp/krb5cc_p24880
Default principal: cavin@ATHENA.MIT.EDU
Valid starting Expires Service principal
12/06/01 10:46:44 12/06/01 10:49:44 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
renew until 12/06/01 11:46:44
...
$ kinit -R
$ klist
Ticket cache: /tmp/krb5cc_p24880
Default principal: cavin@ATHENA.MIT.EDU
Valid starting Expires Service principal
12/06/01 10:47:25 12/06/01 10:50:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
renew until 12/06/01 11:46:44
...
Garry Zacheiss writes:
> >> Is there any way to get something like 24 hour tickets? What is the
> >> basic limit on ticket lifetime?
>
> Have you looked into the -l and -r flags to kinit? -l will allow you
> to get tickets longer than the default lifetime, up to a limit of (I
> believe) 21 hours. The -r flag allows you to specify the "renewable
> lifetime" of tickets, up to a maximum of 1 week. Within the renewable
> lifetime, if you have a ticket that's unexpired, you can "kinit -R" to
> get a new ticket. "man kinit" for more information on this.
>
> Using this, it's possib le to have your long job running, and also
> have a seperate script running with does the equivalent of:
>
> while (1)
> kinit -R
> aklog
> sleep <18 hours>
> done
>
> Which should keep you authenticated up to the renewable lifetime
> lomit of the tickets.
>
> Garry
>
