[33163] in Kerberos
Linux system account ticket lifetime
daemon@ATHENA.MIT.EDU (Carter, Joel)
Fri Jan 28 18:49:02 2011
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Fri, 28 Jan 2011 15:48:50 -0800
Message-ID: <7A014DE1422A694A89BA2CE1F5692DF5038321C7@niihau.lionsgate.ca>
From: "Carter, Joel" <JoelC@trailerwizards.com>
To: <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi there.
I have a RHEL5 machine that I want to use Kerberos tickets to access
cifs shares on my AD domain. I want this ticket to be valid all the time
(and thus able to mount using it any time) so that I don't have to go
back to the old way of passing usernames and passwords on the command
line or in a file. Here's what I do:
# kinit linuxserviceaccount
# mount.cifs //shares.domain.com/siv 1 -o fstype=cifs,sec=krb5
# klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: linuxserviceaccount @DOMAIN.COM
Valid starting Expires Service principal
01/28/11 15:46:44 01/29/11 01:46:52 krbtgt/DOMAIN.COM@DOMAIN.COM
renew until 01/29/11 01:46:44
01/28/11 15:46:56 01/29/11 01:46:52 cifs/shares.domain.com@DOMAIN.COM
renew until 01/29/11 01:46:44
This works great, however, eventually (24 hours) the ticket expires:
mount error(126): Required key not available
I've tried a crontab like the following attempting to renew it every 6
hours, but that doesn't seem to do much:
0 */6 * * * /usr/kerberos/bin/kinit -R
There are other options that look promising for kinit like lifetime and
renewable_life Finally, I dug into the Group Policy for the domain, and
discovered the following:
Account Policies/Kerberos Policy
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes
Do I need to change any of these in order in order to do what I want to
do? Lastly, can I do that just my service account or do I have to change
the entire domain policy?
Thanks for the use of your eyeballs!
Joel.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
