[Thinlinc-technical] Kerberos ticket refresh/netapp remount issues

Wed Nov 6 08:11:06 CET 2013

Hi. On the ThinLinc server, the only integration point for Kerberos is 
/opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh -> 
/opt/thinlinc/libexec/tl-kinit.sh. The script is written to work with both 
Heimdal and MIT kinit, and should work with any kinit that can accept the 
password on stdin. The ccache is set to "${TLSESSIONDATA}/krb5cc". I agree 
with your conclusion, the fact that krb5-auth-dialog warns indicates that 
kinit did not work. Perhaps you have some error message about this earlier 
in xinit.log? What happens if you run /opt/thinlinc/libexec/tl-kinit.sh 
manually in the TL session?

Regards,
Peter

On Tue, 5 Nov 2013, Kevin Kwan \(Work\) wrote:

> Thanks for responding -
>
> Does thinlinc expect a certain version of kinit/klist, a specific
> credentials cache format, or a specific KRB5 implementation?  Also, how does
> the location of the service ticket cache "play well" with others?  AFAIK the
> default kerberos ccache location is at:
> /tmp/krb5cc_<uid>
>
> I did notice this on the xinit.log upon initial login -
>
> krb5-auth-dialog:4766): libnotify-WARNING **: Failed to connect to proxy
> ** (krb5-auth-dialog:4766): WARNING **: Failed to read server caps
> ** (krb5-auth-dialog:4766): WARNING **: Unsupported cache type for
> '/var/opt/thinlinc/sessions/kkwan/1/krb5cc'
> ** (krb5-auth-dialog:4766): CRITICAL **: monitor_ccache: assertion
> `ccache_name != NULL' failed
>
> /etc/krb5.conf indicate:
>        ccache_type = 4
>
> AFAIK krb5-auth-dialog is just some widget which checks on kerberos
> expiration, so it's probably not a major deal - however it could be
> indicative of symptoms -
> Which ccache type is this supposed to be, and which one does ThinLinc work
> with?
>
> Kevin Kwan
> Senior Systems Administrator
> World Financial Desk, LLC 
> Tel 212 937 4025 ? Fax 212 202 9600  ? Mobile 646 964 7828 / 347 714 0983
>  
> This email (including any attachments) may contain confidential, proprietary
> and privileged information.  Unauthorized disclosure or use is prohibited.
> If you received this email in error, please notify the sender and delete
> from your system
>
>
> -----Original Message-----
> From: Pierre Ossman [mailto:ossman at cendio.se]
> Sent: Thursday, October 31, 2013 6:30 AM
> To: kkwan at worldfinancialdesk.com
> Cc: thinlinc-technical at lists.cendio.se
> Subject: Re: [Thinlinc-technical] Kerberos ticket refresh/netapp remount
> issues
>
> On Tue, 29 Oct 2013 15:30:42 -0400
> "Kevin Kwan \(Work\)" <kkwan at worldfinancialdesk.com> wrote:
>
>> We notice that once we log in and receive the TGT (ticket granting
>> ticket) the service ticket for all consequent services used by that
>> session does not show up by spawning gnome-terminal and running klist.
>> I also do not see session reconnects refresh the initial TGT (extend the
> expiration time).
>> This seems to eventually cause netapp homedir mount errors which can
>> only be solved by a reboot.
>>
>> Is there any thing we could do to prevent this from happening?  Let me
> know
>> if you need VMs to repo this issue.
>
> What your describing seems very odd. If you see the TGT with klist, then
> service tickets based on that should appear there as well.
> Anything else sounds like some odd bug in kinit.
>
> There could also be a case of confusion. ThinLinc does make things a bit
> more complicated with regards to Kerberos and tickets. :)
>
> When you run ThinLinc, you will on most installations get three TGT:s for a
> single session:
>
> a) When ThinLinc makes an SSH connection to the master.
> b) When ThinLinc makes an SSH connection to the agent.
> c) When the session is started.
>
> These three are normally three independent TGT:s in independent ticket
> caches. The first two will not be used for anything as SSH is simply used as
> a tunnel to the servers. It's the third one that will be used to access you
> home directory, other services, etc.
>
> The lifetime of these are also different:
>
> a) Very brief. Only as long as is needed to find an agent.
> b) As long as the client is connected.
> c) As long as the session is running.
>
> Upon reconnects you will get fresh new a) and b) TGTs, but nothing will
> happen to c).
>
> Note that we do not explicitly start anything that refreshes tickets.
> Although kinit looks basically the same everywhere, daemons to automatically
> refresh tickets exist in many forms. So for now we've left that out and hope
> that it gets handled by the desktop environment.
>
> You can have a look in /opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh for the
> included script that tries to make sure the session has a TGT.
>
>
> Hopefully this clarifies things more than it confuses things. :)
>
>
> Rgds
> -- 
> Pierre Ossman           Software Development
> Cendio AB		http://cendio.com
> Teknikringen 8		http://twitter.com/ThinLinc
> 583 30 Linköping	http://facebook.com/ThinLinc
> Phone: +46-13-214600	http://plus.google.com/112509906846170010689
>
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
> _______________________________________________
> Thinlinc-technical mailing list
> Thinlinc-technical at lists.cendio.se
> Manage your subscription:
> http://lists.cendio.se/mailman/listinfo/thinlinc-technical
>

---
Peter Astrand		ThinLinc Chief Developer
Cendio AB		http://cendio.com
Teknikringen 8		http://twitter.com/ThinLinc
583 30 Linkoping	http://facebook.com/ThinLinc
Phone: +46-13-214600	http://plus.google.com/112509906846170010689