ticket renew lifetime limited by Windows KDC policy
Di Pe
dipeit at gmail.com
Tue Sep 7 14:49:44 EDT 2010
Thanks Russ,
I am currently using the workflow in the cronjob script below. It
would be nice if some of that could be implemented in k5start
Dipe
##########
#! /bin/sh
# This script renews kerberos tickets for all logged on users
# that have not yet expired and removes tickets that have expired.
# It also allows a user to refresh her ticket in time by not
# auto renewing tickets that have between 8 and 1 hour to live
# durning the last 4 days of the renew_lifetime. Thus, the user
# is not prompted for a password for 3 days after logon if the
# ticket renew lifetime is 7 days (MS AD default policy)
# The user should set this env variable (6 hours):
# export PROMPT_COMMAND="k5start -H 360"
#
# Finally the scripts logs out users for who renew_lifetime is
# less than 1 hour. (FORCELOGOUT is set to "no" by default) and
# sends a warning email to all users for who renew_lifetime is less than
# 2 hours (SENDWARNING is set to "no" by default)
#
# Test cases, there are more test cases in the code below.
# kinit -l 10m -r 3d
# (ticket_lifetime = 10 minutes, renew_lifetime = 3 days)
#
# Please put this script in /etc/cron.hourly and edit /etc/krb5.conf :
##[libdefaults]
## ticket_lifetime = 10h
## renew_lifetime = 7d
SENDWARNING="no"
FORCELOGOUT="no"
MAILHOST="mx"
DOMAIN=`hostname -d`
CURRUSERS=`users | sed 's/ /\n/g' | sort -u`
for TCACHE in $( ls -1 /tmp/krb5cc* 2> /dev/null ); do
OWNER=$( ls -l $TCACHE | awk '{print $3}' )
GROUP=$( ls -l $TCACHE | awk '{print $4}' )
NOW=$( date +%s )
EXPIRE_TIME=$( date -d "$( klist -c $TCACHE | grep krbtgt | awk
'{print $3, $4}' )" +%s )
RENEW_TIME=$( date -d "$( klist -c $TCACHE | grep "renew until" |
awk '{print $3, $4}' )" +%s )
echo owner:$OWNER tcache:$TCACHE expire:$EXPIRE_TIME
renew:$RENEW_TIME current:$NOW
# If the ticket has already expired, might as well delete it
# testcase: kinit -l 10s
if [ $NOW -ge $EXPIRE_TIME ]; then
kdestroy -c $TCACHE &> /dev/null:
echo "Removed expired ticket cache $TCACHE for user $OWNER"
# log user out if we are within one hour or less of max
renew_lifetime, prevent lockup
# testcase: kinit -l 1h -r 1h
elif [ $( expr $RENEW_TIME - $NOW ) -le 3600 ]; then
echo "time to log user out!"
if [[ $FORCELOGOUT == "yes" ]]; then
kill -15 $(ps -U $OWNER -o "pid=")
echo "send notice to user!"
emailbody=`mktemp`
mail -s "You have been logged out from '`hostname`' and
all your jobs have been ended." -r root@`hostname -f` \
-S "smtp=$MAILHOST.$DOMAIN" $OWNER@$DOMAIN < $emailbody
rm $emailbody
fi
# notify user if we are between 3 and 4 hours of max
renew_lifetime to prevent forced logout
# testcase: kinit -l 1h -r 4h
elif [ $( expr $RENEW_TIME - $NOW ) -le 14400 ]; then
if [ $( expr $RENEW_TIME - $NOW ) -gt 10800 ]; then
echo "send warning to user!"
if [[ $SENDWARNING == "yes" ]]; then
emailbody=`mktemp`
echo "$OWNER, please make sure to login to
'`hostname`' to update your credentials." >> $emailbody
echo "If you can't login within 3 hours you will be
logged out and your running jobs will be ended." >> $emailbody
mail -s "Please login to '`hostname`' within the next
3 hours." -r root@`hostname -f` \
-S "smtp=$MAILHOST.$DOMAIN" $OWNER@$DOMAIN < $emailbody
rm $emailbody
fi
fi
else
# standard refresh loop, tickets are not in immediate danger to expire
for user in $CURRUSERS; do
if [[ $user == $OWNER ]]; then
echo "user $OWNER is logged on, check renewal!"
# renew ticket if it will expire in one hour or less
# testcase: kinit -l 1h -r 1d
if [ $( expr $EXPIRE_TIME - $NOW ) -le 3600 ]; then
kinit -R -c $TCACHE
chown $OWNER:$GROUP $TCACHE
echo "auto renewed - 1h!"
# renew ticket if it will expire in 8 hours or less
# testcase: kinit -l 8h -r 97h
elif [ $( expr $EXPIRE_TIME - $NOW ) -le 28800 ]; then
# ....and if there is at least 96 hours left for renewal
if [ $( expr $RENEW_TIME - $NOW ) -ge 345600 ]; then
kinit -R -c $TCACHE
chown $OWNER:$GROUP $TCACHE
echo "auto renewed - <96h left"
else
#testcase: kinit -l 8h -r 96h
echo "time for ticket refresh via k5start or
systray app"
fi
fi
fi
done
fi
done
On Mon, Sep 6, 2010 at 2:25 PM, Russ Allbery <rra at stanford.edu> wrote:
> Di Pe <dipeit at gmail.com> writes:
>
>> This seems to be a good idea. I used
>> export PROMPT_COMMAND="k5start -H 500"
>> and it does what it's supposed to do.
>
>> One issue tough: k5start seems to look at ticket_lifetime instead of
>> renew_liefetime. ticket_lifetime is enforced to 10 hours by active
>> directory. If I don't use a cron job to renew the ticket users would
>> have to enter their credentials every few hours or so which is not
>> good if they run jobs over night.
>
> Yeah, you ideally want k5start to renew the ticket if it can, and if not,
> prompt. That's something that k5start -H should probably just do by
> default. It doesn't do that right now and it will require some coding.
> I'll add it to the to-do list.
>
>> Another problem we notice on our terminal server is that user sessions
>> are completely locking up when a ticket expires on a nfs mounted home
>> directory. It would be good if we had a cron job that forces a logout
>> for users where the ticket is about to expire in 60 minutes or less. Is
>> there a way to check for a happy ticket in a shell script without
>> getting a prompt if the ticket is not happy?
>
> Also a good idea. There isn't at the moment.
>
> --
> Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
>
More information about the Kerberos
mailing list