Linux system account ticket lifetime
Carter, Joel
JoelC at trailerwizards.com
Fri Jan 28 18:48:50 EST 2011
Hi there.
I have a RHEL5 machine that I want to use Kerberos tickets to access
cifs shares on my AD domain. I want this ticket to be valid all the time
(and thus able to mount using it any time) so that I don't have to go
back to the old way of passing usernames and passwords on the command
line or in a file. Here's what I do:
# kinit linuxserviceaccount
# mount.cifs //shares.domain.com/siv 1 -o fstype=cifs,sec=krb5
# klist -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: linuxserviceaccount @DOMAIN.COM
Valid starting Expires Service principal
01/28/11 15:46:44 01/29/11 01:46:52 krbtgt/DOMAIN.COM at DOMAIN.COM
renew until 01/29/11 01:46:44
01/28/11 15:46:56 01/29/11 01:46:52 cifs/shares.domain.com at DOMAIN.COM
renew until 01/29/11 01:46:44
This works great, however, eventually (24 hours) the ticket expires:
mount error(126): Required key not available
I've tried a crontab like the following attempting to renew it every 6
hours, but that doesn't seem to do much:
0 */6 * * * /usr/kerberos/bin/kinit -R
There are other options that look promising for kinit like lifetime and
renewable_life Finally, I dug into the Group Policy for the domain, and
discovered the following:
Account Policies/Kerberos Policy
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes
Do I need to change any of these in order in order to do what I want to
do? Lastly, can I do that just my service account or do I have to change
the entire domain policy?
Thanks for the use of your eyeballs!
Joel.
More information about the Kerberos
mailing list