Linux system account ticket lifetime

Carter, Joel JoelC at trailerwizards.com
Fri Jan 28 18:48:50 EST 2011


Hi there.

I have a RHEL5 machine that I want to use Kerberos tickets to access
cifs shares on my AD domain. I want this ticket to be valid all the time
(and thus able to mount using it any time) so that I don't have to go
back to the old way of passing usernames and passwords on the command
line or in a file. Here's what I do:
 
# kinit linuxserviceaccount
# mount.cifs //shares.domain.com/siv 1 -o fstype=cifs,sec=krb5

# klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: linuxserviceaccount @DOMAIN.COM

Valid starting     Expires            Service principal
01/28/11 15:46:44  01/29/11 01:46:52  krbtgt/DOMAIN.COM at DOMAIN.COM
        renew until 01/29/11 01:46:44
01/28/11 15:46:56  01/29/11 01:46:52  cifs/shares.domain.com at DOMAIN.COM
        renew until 01/29/11 01:46:44

This works great, however, eventually (24 hours) the ticket expires:

mount error(126): Required key not available

I've tried a crontab like the following attempting to renew it every 6
hours, but that doesn't seem to do much:

0 */6 * * * /usr/kerberos/bin/kinit -R

There are other options that look promising for kinit like lifetime and
renewable_life Finally, I dug into the Group Policy for the domain, and
discovered the following:

Account Policies/Kerberos Policy
	Enforce user logon restrictions Enabled 
	Maximum lifetime for service ticket 600 minutes 
	Maximum lifetime for user ticket 10 hours 
	Maximum lifetime for user ticket renewal 7 days 
	Maximum tolerance for computer clock synchronization 5 minutes

Do I need to change any of these in order in order to do what I want to
do? Lastly, can I do that just my service account or do I have to change
the entire domain policy?

Thanks for the use of your eyeballs!
Joel. 




More information about the Kerberos mailing list