[Thinlinc-technical] Kerberos ticket refresh/netapp remount issues

Peter Astrand astrand at cendio.se
Thu Nov 7 12:57:23 CET 2013


Running kinit in a loop is probably not a good idea; I believe the entire 
ticket cache is wiped and re-created, so your service tickets are probably 
cleared.

http://www2.cisl.ucar.edu/docs/hpss/kerberos#renewing has some 
information. Perhaps you can add -r7d to the kinit command line, then run 
"kinit -R" twice a day, for example by cron, as they suggest?

Regards,
Peter

On Wed, 6 Nov 2013, Kevin Kwan (Work) wrote:

> Well, I did - it's not prompting me for a password (which I am not sure is a good thing):
>
> alpha kkwan at desktop24:~$ /opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh
> kinit is /usr/bin/kinit
> Password for kkwan at NY2.WFD:
> alpha kkwan at desktop24:~$ klist
> Ticket cache: FILE:/var/opt/thinlinc/sessions/kkwan/1/krb5cc
> Default principal: kkwan at NY2.WFD
>
> Valid starting       Expires              Service principal
> 11/06/2013 11:39:59  11/08/2013 11:39:59  krbtgt/NY2.WFD at NY2.WFD
> 	renew until 11/08/2013 11:40:09
>
> alpha kkwan at desktop24:~$ /opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh
> kinit is /usr/bin/kinit
> Password for kkwan at NY2.WFD:
> alpha kkwan at desktop24:~$ klist
> Ticket cache: FILE:/var/opt/thinlinc/sessions/kkwan/1/krb5cc
> Default principal: kkwan at NY2.WFD
>
> Valid starting       Expires              Service principal
> 11/06/2013 11:40:04  11/08/2013 11:40:04  krbtgt/NY2.WFD at NY2.WFD
> 	renew until 11/08/2013 11:40:15
> alpha kkwan at desktop24:~$
>
> So the question is - what happens when it hits 11/8/2013?  And is it 
> theoretically possible for someone to simply call this script in a loop 
> to postpone a TGT expiration until the max lifetime of the ticket?
>
> Kevin Kwan
> Senior Systems Administrator
> World Financial Desk, LLC
> Tel 212 937 4025 • Fax 212 202 9600  • Mobile 646 964 7828 / 347 714 0983
>
> This email (including any attachments) may contain confidential, proprietary and privileged information.  Unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete from your system
>
>
> -----Original Message-----
> From: Peter Astrand [mailto:astrand at cendio.se]
> Sent: Wednesday, November 06, 2013 2:11 AM
> To: Kevin Kwan \(Work\)
> Cc: thinlinc-technical at lists.cendio.se
> Subject: Re: [Thinlinc-technical] Kerberos ticket refresh/netapp remount issues
>
>
> Hi. On the ThinLinc server, the only integration point for Kerberos is /opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh -> /opt/thinlinc/libexec/tl-kinit.sh. The script is written to work with both Heimdal and MIT kinit, and should work with any kinit that can accept the password on stdin. The ccache is set to "${TLSESSIONDATA}/krb5cc". I agree with your conclusion, the fact that krb5-auth-dialog warns indicates that kinit did not work. Perhaps you have some error message about this earlier in xinit.log? What happens if you run /opt/thinlinc/libexec/tl-kinit.sh manually in the TL session?
>
> Regards,
> Peter
>
> On Tue, 5 Nov 2013, Kevin Kwan \(Work\) wrote:
>
>> Thanks for responding -
>>
>> Does thinlinc expect a certain version of kinit/klist, a specific
>> credentials cache format, or a specific KRB5 implementation?  Also,
>> how does the location of the service ticket cache "play well" with
>> others?  AFAIK the default kerberos ccache location is at:
>> /tmp/krb5cc_<uid>
>>
>> I did notice this on the xinit.log upon initial login -
>>
>> krb5-auth-dialog:4766): libnotify-WARNING **: Failed to connect to
>> proxy
>> ** (krb5-auth-dialog:4766): WARNING **: Failed to read server caps
>> ** (krb5-auth-dialog:4766): WARNING **: Unsupported cache type for
>> '/var/opt/thinlinc/sessions/kkwan/1/krb5cc'
>> ** (krb5-auth-dialog:4766): CRITICAL **: monitor_ccache: assertion
>> `ccache_name != NULL' failed
>>
>> /etc/krb5.conf indicate:
>>        ccache_type = 4
>>
>> AFAIK krb5-auth-dialog is just some widget which checks on kerberos
>> expiration, so it's probably not a major deal - however it could be
>> indicative of symptoms - Which ccache type is this supposed to be, and
>> which one does ThinLinc work with?
>>
>> Kevin Kwan
>> Senior Systems Administrator
>> World Financial Desk, LLC
>> Tel 212 937 4025 ? Fax 212 202 9600  ? Mobile 646 964 7828 / 347 714
>> 0983
>>
>> This email (including any attachments) may contain confidential,
>> proprietary and privileged information.  Unauthorized disclosure or use is prohibited.
>> If you received this email in error, please notify the sender and
>> delete from your system
>>
>>
>> -----Original Message-----
>> From: Pierre Ossman [mailto:ossman at cendio.se]
>> Sent: Thursday, October 31, 2013 6:30 AM
>> To: kkwan at worldfinancialdesk.com
>> Cc: thinlinc-technical at lists.cendio.se
>> Subject: Re: [Thinlinc-technical] Kerberos ticket refresh/netapp
>> remount issues
>>
>> On Tue, 29 Oct 2013 15:30:42 -0400
>> "Kevin Kwan \(Work\)" <kkwan at worldfinancialdesk.com> wrote:
>>
>>> We notice that once we log in and receive the TGT (ticket granting
>>> ticket) the service ticket for all consequent services used by that
>>> session does not show up by spawning gnome-terminal and running klist.
>>> I also do not see session reconnects refresh the initial TGT (extend
>>> the
>> expiration time).
>>> This seems to eventually cause netapp homedir mount errors which can
>>> only be solved by a reboot.
>>>
>>> Is there any thing we could do to prevent this from happening?  Let
>>> me
>> know
>>> if you need VMs to repo this issue.
>>
>> What your describing seems very odd. If you see the TGT with klist,
>> then service tickets based on that should appear there as well.
>> Anything else sounds like some odd bug in kinit.
>>
>> There could also be a case of confusion. ThinLinc does make things a
>> bit more complicated with regards to Kerberos and tickets. :)
>>
>> When you run ThinLinc, you will on most installations get three TGT:s
>> for a single session:
>>
>> a) When ThinLinc makes an SSH connection to the master.
>> b) When ThinLinc makes an SSH connection to the agent.
>> c) When the session is started.
>>
>> These three are normally three independent TGT:s in independent ticket
>> caches. The first two will not be used for anything as SSH is simply
>> used as a tunnel to the servers. It's the third one that will be used
>> to access you home directory, other services, etc.
>>
>> The lifetime of these are also different:
>>
>> a) Very brief. Only as long as is needed to find an agent.
>> b) As long as the client is connected.
>> c) As long as the session is running.
>>
>> Upon reconnects you will get fresh new a) and b) TGTs, but nothing
>> will happen to c).
>>
>> Note that we do not explicitly start anything that refreshes tickets.
>> Although kinit looks basically the same everywhere, daemons to
>> automatically refresh tickets exist in many forms. So for now we've
>> left that out and hope that it gets handled by the desktop environment.
>>
>> You can have a look in /opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh for
>> the included script that tries to make sure the session has a TGT.
>>
>>
>> Hopefully this clarifies things more than it confuses things. :)
>>
>>
>> Rgds
>> --
>> Pierre Ossman           Software Development
>> Cendio AB		http://cendio.com
>> Teknikringen 8		http://twitter.com/ThinLinc
>> 583 30 Linköping	http://facebook.com/ThinLinc
>> Phone: +46-13-214600	http://plus.google.com/112509906846170010689
>>
>> A: Because it messes up the order in which people normally read text.
>> Q: Why is top-posting such a bad thing?
>>
>> _______________________________________________
>> Thinlinc-technical mailing list
>> Thinlinc-technical at lists.cendio.se
>> Manage your subscription:
>> http://lists.cendio.se/mailman/listinfo/thinlinc-technical
>>
>
>
> ---
> Peter Astrand		ThinLinc Chief Developer
> Cendio AB		http://cendio.com
> Teknikringen 8		http://twitter.com/ThinLinc
> 583 30 Linkoping	http://facebook.com/ThinLinc
> Phone: +46-13-214600	http://plus.google.com/112509906846170010689
>
>


---
Peter Astrand		ThinLinc Chief Developer
Cendio AB		http://cendio.com
Teknikringen 8		http://twitter.com/ThinLinc
583 30 Linkoping	http://facebook.com/ThinLinc
Phone: +46-13-214600	http://plus.google.com/112509906846170010689


More information about the Thinlinc-technical mailing list