We are using tmux, screen and x2go to run long-running jobs on our compute servers. $HOME and other data should be mounted via CIFS or NFS4. Because such a job can run for more than a week, I would like to increase the Kerberos ticket lifetime or better the Kerberos ticket maximum renewable lifetime. I found this guide: https://wiki.samba.org/index.php/Samba_KDC_Settings Unfortunately, only settings that are smaller than the following have an effect: kdc:user ticket lifetime = 24 kdc:renewal lifetime = 24 There appears to be an upper limit of 24 hours that none of these settings can exceed. Thanks in advance Am 02.07.20 um 18:55 schrieb Rowland penny via samba:> On 02/07/2020 17:28, Stefan Just via samba wrote: >> I would like to set the renewable lifetime to 90 days. >> What is the best way to set the Kerberos ticket maximum renewable >> lifetime. >> >> ~# smbd --version >> Version 4.12.2-Ubuntu >> >> ~# klist >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: administrator at MYDOM >> >> Valid starting???? Expires??????????? Service principal >> 07/02/20 18:08:16? 07/03/20 04:08:16? krbtgt/MYDOM at MYDOM >> ????renew until 07/03/20 18:08:11 >> ???????? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> >> > Why on Earth do you want to do that ? > > Not sure you can anyway. > > Rowland > > >-- Stefan Just, DV-Systemingenieur | E-Mail: just at tuhh.de Technische Universit?t Hamburg, ES (E-13) | Voice: +49 40 42878-3356 Am Schwarzenberg-Campus 3E, D-21073 Hamburg | Fax: +49 40 42731-3612
On 03/07/2020 11:33, Stefan Just via samba wrote:> We are using tmux, screen and x2go to run long-running jobs on our > compute servers. $HOME and other data should be mounted via CIFS or > NFS4. Because such a job can run for more than a week, I would like to > increase the Kerberos ticket lifetime or better the Kerberos ticket > maximum renewable lifetime. > > I found this guide: > > https://wiki.samba.org/index.php/Samba_KDC_Settings > > Unfortunately, only settings that are smaller than the following have an > effect: > > kdc:user ticket lifetime = 24 > kdc:renewal lifetime = 24 > > There appears to be an upper limit of 24 hours that none of these > settings can exceed. > > Thanks in advanceYou possibly could alter the ticket lifetime, but it would affect every kerberos ticket. A better idea would be to create users in AD just to run the program and then create a script to check if the ticket is valid and run kinit if it isn't, though this would also depend on a keytab. Rowland
Am 03.07.20 um 13:05 schrieb Rowland penny via samba:> On 03/07/2020 11:33, Stefan Just via samba wrote: >> We are using tmux, screen and x2go to run long-running jobs on our >> compute servers. $HOME and other data should be mounted via CIFS or >> NFS4. Because such a job can run for more than a week, I would like to >> increase the Kerberos ticket lifetime or better the Kerberos ticket >> maximum renewable lifetime. >> >> I found this guide: >> >> https://wiki.samba.org/index.php/Samba_KDC_Settings >> >> Unfortunately, only settings that are smaller than the following have an >> effect: >> >> kdc:user ticket lifetime = 24 >> kdc:renewal lifetime = 24 >> >> There appears to be an upper limit of 24 hours that none of these >> settings can exceed. >> >> Thanks in advance > > You possibly could alter the ticket lifetime, but it would affect every > kerberos ticket. >That's exactly what I want to do, I want to extend the lifetime of every kerberos ticket or better the Kerberos ticket maximum renewable lifetime. How does it work?> A better idea would be to create users in AD just to run the program and > then create a script to check if the ticket is valid and run kinit if it > isn't, though this would also depend on a keytab. > > Rowland > >A kinit needs the user's password if the Kerberos ticket maximum renewable lifetime has been exceeded. This is simply not possible because users cannot be online for weeks. Stefan