en:navody:kerberos:start

Kerberos

Install support Kerberos to your computer. In Ubuntu distribution install packages krb5-user and krb5-config, in OpenSuse packages install krb5 and krb5-client packages. During the installation process, you may be asked for REALM and kdc servers. Both fields leave blank. To correct configuration use our version of the file krb5.conf. If something have to be fill in (the system doesn't allow empty fields), use EINFRA for REALM and kdc1.cesnet.cz for kdc server. It is necessary to set /etc/krb5.conf file. The easiest way is to copy from this site.

If you want to use your own file and you have MIT kerberos with version 1.4 or higher or Heimdal with version 1.3 or higher, add to the section [libdefaults] in krb5.conf file allow_weak_crypto = true option. It is necessary to set KDC servers with EINFRA realm and the same realm as default.

If you already have the service account, use a realm EINFRA-SERVICES instead of EINFRA

If the installation process was performed correctly then you can use command kinit to get kerberos ticket. Existence of new ticket can be verified by klist.

$ kinit user@EINFRA
Password for user@EINFRA: 
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: user@EINFRA

Valid starting    Expires           Service principal
27/06/2012 13:52  28/06/2012 13:52  krbtgt/EINFRA@EINFRA
$

Durability of Kerberos ticket

Kerberos tickets have set a expiration time. The standard duration is one day. After one day you need to generate a new ticket (use kinit again).

You can also create renewable tickets by using kinit -r number_of_days. This ticket can be restore by command kinit -R' (and you won't be prompted to enter your password). kinit -R'' can be used for a maximum of number_of_days (which is limited to 8). After that it is necessary to make a new ticket.

Last modified:: 10.11.2015 13:34