Am 03.07.20 um 13:05 schrieb Rowland penny via samba:> On 03/07/2020 11:33, Stefan Just via samba wrote: >> We are using tmux, screen and x2go to run long-running jobs on our >> compute servers. $HOME and other data should be mounted via CIFS or >> NFS4. Because such a job can run for more than a week, I would like to >> increase the Kerberos ticket lifetime or better the Kerberos ticket >> maximum renewable lifetime. >> >> I found this guide: >> >> https://wiki.samba.org/index.php/Samba_KDC_Settings >> >> Unfortunately, only settings that are smaller than the following have an >> effect: >> >> kdc:user ticket lifetime = 24 >> kdc:renewal lifetime = 24 >> >> There appears to be an upper limit of 24 hours that none of these >> settings can exceed. >> >> Thanks in advance > > You possibly could alter the ticket lifetime, but it would affect every > kerberos ticket. >That's exactly what I want to do, I want to extend the lifetime of every kerberos ticket or better the Kerberos ticket maximum renewable lifetime. How does it work?> A better idea would be to create users in AD just to run the program and > then create a script to check if the ticket is valid and run kinit if it > isn't, though this would also depend on a keytab. > > Rowland > >A kinit needs the user's password if the Kerberos ticket maximum renewable lifetime has been exceeded. This is simply not possible because users cannot be online for weeks. Stefan
On 03/07/2020 12:35, Stefan Just via samba wrote:> A kinit needs the user's password if the Kerberos ticket maximum > renewable lifetime has been exceeded. This is simply not possible > because users cannot be online for weeks.Where did you get the idea that you need the password from ? If a user logs in and PAM is set up correctly on a Unix domain member, the user should get a kerberos ticket. But as I said, you do not actually need a password, you need a keytab, to prove this: rowland at devstation:~$ who rowland? tty7???????? 2020-06-29 11:02 (:0) I am the only user logged in. I use sudo from AD (and I do not use sssd) and for this you need the Administrators ticket (I have asked about this on the sudo-users mailing list, the users ticket should be enough). To keep the Administrators ticket valid, I run a cron job every 10 minutes and this is what happened this morning: Jul? 3 05:00:01 devstation CRON[19420]: (root) CMD (/usr/local/bin/check_key.sh) Jul? 3 05:00:01 devstation root: 03-07-20 05:00:01 [sudo_key] : Running check for valid kerberos ticket Jul? 3 05:00:01 devstation root: 03-07-20 05:00:01 [sudo_key] : Getting new ticket, old one has expired If I check the ticket, I find this: rowland at devstation:~$ sudo klist -c /tmp/krb5cc_0 [sudo] password for rowland: Ticket cache: FILE:/tmp/krb5cc_0 Default principal: Administrator at SAMDOM.EXAMPLE.COM Valid starting???? Expires??????????? Service principal 03/07/20 05:00:01? 03/07/20 15:00:01 krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM ??? renew until 04/07/20 05:00:01 03/07/20 12:03:01? 03/07/20 15:00:01 ldap/dc01.samdom.example.com at SAMDOM.EXAMPLE.COM ??? renew until 04/07/20 05:00:01 No passwords were used in creating the new ticket. Rowland
Am 03.07.20 um 13:35 schrieb Stefan Just via samba:> > > Am 03.07.20 um 13:05 schrieb Rowland penny via samba: >> On 03/07/2020 11:33, Stefan Just via samba wrote: >>> We are using tmux, screen and x2go to run long-running jobs on our >>> compute servers. $HOME and other data should be mounted via CIFS or >>> NFS4. Because such a job can run for more than a week, I would like to >>> increase the Kerberos ticket lifetime or better the Kerberos ticket >>> maximum renewable lifetime. >>> >>> I found this guide: >>> >>> https://wiki.samba.org/index.php/Samba_KDC_Settings >>> >>> Unfortunately, only settings that are smaller than the following have an >>> effect: >>> >>> kdc:user ticket lifetime = 24 >>> kdc:renewal lifetime = 24 >>> >>> There appears to be an upper limit of 24 hours that none of these >>> settings can exceed. >>> >>> Thanks in advance >> >> You possibly could alter the ticket lifetime, but it would affect every >> kerberos ticket. >> > > That's exactly what I want to do, I want to extend the lifetime of every > kerberos ticket or better the Kerberos ticket maximum renewable > lifetime. How does it work? > >> A better idea would be to create users in AD just to run the program and >> then create a script to check if the ticket is valid and run kinit if it >> isn't, though this would also depend on a keytab. >> >> Rowland >> >> > > A kinit needs the user's password if the Kerberos ticket maximum > renewable lifetime has been exceeded. This is simply not possible > because users cannot be online for weeks. > > Stefan >More specifically, we use ssh together with terminal multipexers (screen, tmux or x2go) so that the application continues to run in the background (detached) when the user logs out or the connection is interrupted. Until now, with with our old Kerberos and without an active directory, we have extended the lifetime of the tickets with krenew-agent. But in samba the maximum extendability is limited to only 24 hours. How can I change this, or is there another way to run long running applications in the background (detached)? Thanks in advance Stefan
Great, it worked with the keytab. Many thanks Am 03.07.20 um 14:27 schrieb Rowland penny via samba:> On 03/07/2020 12:35, Stefan Just via samba wrote: >> A kinit needs the user's password if the Kerberos ticket maximum >> renewable lifetime has been exceeded. This is simply not possible >> because users cannot be online for weeks. > > Where did you get the idea that you need the password from ? > > If a user logs in and PAM is set up correctly on a Unix domain member, > the user should get a kerberos ticket. > > But as I said, you do not actually need a password, you need a keytab, > to prove this: > > rowland at devstation:~$ who > rowland? tty7???????? 2020-06-29 11:02 (:0) > > I am the only user logged in. > > I use sudo from AD (and I do not use sssd) and for this you need the > Administrators ticket (I have asked about this on the sudo-users mailing > list, the users ticket should be enough). To keep the Administrators > ticket valid, I run a cron job every 10 minutes and this is what > happened this morning: > > Jul? 3 05:00:01 devstation CRON[19420]: (root) CMD > (/usr/local/bin/check_key.sh) > Jul? 3 05:00:01 devstation root: 03-07-20 05:00:01 [sudo_key] : Running > check for valid kerberos ticket > Jul? 3 05:00:01 devstation root: 03-07-20 05:00:01 [sudo_key] : Getting > new ticket, old one has expired > > If I check the ticket, I find this: > > rowland at devstation:~$ sudo klist -c /tmp/krb5cc_0 > [sudo] password for rowland: > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: Administrator at SAMDOM.EXAMPLE.COM > > Valid starting???? Expires??????????? Service principal > 03/07/20 05:00:01? 03/07/20 15:00:01 > krbtgt/SAMDOM.EXAMPLE.COM at SAMDOM.EXAMPLE.COM > ??? renew until 04/07/20 05:00:01 > 03/07/20 12:03:01? 03/07/20 15:00:01 > ldap/dc01.samdom.example.com at SAMDOM.EXAMPLE.COM > ??? renew until 04/07/20 05:00:01 > > No passwords were used in creating the new ticket. > > Rowland > > > >