[Thinlinc-technical] Kerberos ticket refresh/netapp remount issues

Kevin Kwan (Work) kkwan at worldfinancialdesk.com
Tue Nov 5 17:33:39 CET 2013 

Thanks for responding -

Does thinlinc expect a certain version of kinit/klist, a specific
credentials cache format, or a specific KRB5 implementation?  Also, how does
the location of the service ticket cache "play well" with others?  AFAIK the
default kerberos ccache location is at:
/tmp/krb5cc_<uid>

I did notice this on the xinit.log upon initial login - 

krb5-auth-dialog:4766): libnotify-WARNING **: Failed to connect to proxy
** (krb5-auth-dialog:4766): WARNING **: Failed to read server caps
** (krb5-auth-dialog:4766): WARNING **: Unsupported cache type for
'/var/opt/thinlinc/sessions/kkwan/1/krb5cc'
** (krb5-auth-dialog:4766): CRITICAL **: monitor_ccache: assertion
`ccache_name != NULL' failed

/etc/krb5.conf indicate:
        ccache_type = 4

AFAIK krb5-auth-dialog is just some widget which checks on kerberos
expiration, so it's probably not a major deal - however it could be
indicative of symptoms - 
Which ccache type is this supposed to be, and which one does ThinLinc work
with?

Kevin Kwan
Senior Systems Administrator
World Financial Desk, LLC 
Tel 212 937 4025 • Fax 212 202 9600  • Mobile 646 964 7828 / 347 714 0983
 
This email (including any attachments) may contain confidential, proprietary
and privileged information.  Unauthorized disclosure or use is prohibited.
If you received this email in error, please notify the sender and delete
from your system


-----Original Message-----
From: Pierre Ossman [mailto:ossman at cendio.se] 
Sent: Thursday, October 31, 2013 6:30 AM
To: kkwan at worldfinancialdesk.com
Cc: thinlinc-technical at lists.cendio.se
Subject: Re: [Thinlinc-technical] Kerberos ticket refresh/netapp remount
issues

On Tue, 29 Oct 2013 15:30:42 -0400
"Kevin Kwan \(Work\)" <kkwan at worldfinancialdesk.com> wrote:

> We notice that once we log in and receive the TGT (ticket granting 
> ticket) the service ticket for all consequent services used by that 
> session does not show up by spawning gnome-terminal and running klist.  
> I also do not see session reconnects refresh the initial TGT (extend the
expiration time).
> This seems to eventually cause netapp homedir mount errors which can 
> only be solved by a reboot.
> 
> Is there any thing we could do to prevent this from happening?  Let me
know
> if you need VMs to repo this issue.   

What your describing seems very odd. If you see the TGT with klist, then
service tickets based on that should appear there as well.
Anything else sounds like some odd bug in kinit.

There could also be a case of confusion. ThinLinc does make things a bit
more complicated with regards to Kerberos and tickets. :)

When you run ThinLinc, you will on most installations get three TGT:s for a
single session:

 a) When ThinLinc makes an SSH connection to the master.
 b) When ThinLinc makes an SSH connection to the agent.
 c) When the session is started.

These three are normally three independent TGT:s in independent ticket
caches. The first two will not be used for anything as SSH is simply used as
a tunnel to the servers. It's the third one that will be used to access you
home directory, other services, etc.

The lifetime of these are also different:

 a) Very brief. Only as long as is needed to find an agent.
 b) As long as the client is connected.
 c) As long as the session is running.

Upon reconnects you will get fresh new a) and b) TGTs, but nothing will
happen to c).

Note that we do not explicitly start anything that refreshes tickets.
Although kinit looks basically the same everywhere, daemons to automatically
refresh tickets exist in many forms. So for now we've left that out and hope
that it gets handled by the desktop environment.

You can have a look in /opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh for the
included script that tries to make sure the session has a TGT.


Hopefully this clarifies things more than it confuses things. :)


Rgds
-- 
Pierre Ossman           Software Development
Cendio AB		http://cendio.com
Teknikringen 8		http://twitter.com/ThinLinc
583 30 Linköping	http://facebook.com/ThinLinc
Phone: +46-13-214600	http://plus.google.com/112509906846170010689

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

More information about the Thinlinc-technical mailing list