Questions Regarding User Tokens

John Joshua Gutierrez jjg9803 at gmail.com
Thu Dec 7 20:18:53 EST 2023


Hi Ken,

Thank you so much for the fast reply! I will try my best to get through the
tips you've given me and hopefully I fix something.

1. For the kinit -l and -r, I will get started on changing everything to be
the same thing. When I finish, I will email back to you if I was successful
and if not I will send screenshots of the configs.

2. For the time problem, I just finished syncing all the machines to one
local NTP Server. I am using chronyd and we are running Rocky Linux 8.
Hopefully that fixes that problem.

3. Yes, we unfortunately are using a scheduler and its SLURM. Would this
question now go to SLURM Developers or still to Kerberos or both?

Best,
John

On Thu, Dec 7, 2023 at 4:43 PM Ken Hornstein <kenh at cmf.nrl.navy.mil> wrote:

> >   - How do we extend ticket lifetime to 14 days?
> >      - We have tried to set the ticket lifetime to 14 days in krb5.conf
> >      [realm] but it caps out to one day
>
> First, assuming you're talking about the "ticket_lifetime" parameter,
> that actually goes in the [libdefaults] stanza.  You can also specify the
> lifetime parameter on the command line to kinit using the "-l" option
> and that might be the most useful to start out during testing.
>
> Where you're probably running into issues is that the ticket lifetime
> is the MINIMUM of: the requested lifetime (via the -l option or the
> ticket_lifetime parameter), the maximum lifetime set on the client
> principal, and the maximum lifetime set on the service principal.  So
> you need to modify the maximum lifetime on all of your clients AND
> all of your services.  You can do this with the "modprinc -maxlife"
> command inside of kadmin.  To even test this out with one user you'd
> need to change that user's maximum lifetime AND the lifetime of the TGS
> principal (krbtgt/REALM at REALM).
>
> >   - How do we extend renewable ticket lifetime to 30 days?
> >      - We set the variable to 30 days but it only caps out to 14 days.
>
> See above, the same rules apply (with the exception that you're use
> the "-maxrenewlife" option to modprinc).
>
> >   - Kinit would sometimes give us an expiration date from the past
>
> That maybe sounds like a clock synchronization problem?  If you could
> give us details there, might be helpful.
>
> >   - Kinit needs to be done on every single node you want to use. If, no
> >   kinit then no access to NFS home directory.
>
> Normally this is done at login time automatically, and when you log into
> a remote system Kerberos tickets are forwarded.
>
> If you are using a batch processing system then that is trickier; there
> are some tricks there, but none of them are great if you don't have
> a Kerberos aware queueing system.
>
> --Ken
>


More information about the Kerberos mailing list