[Thinlinc-technical] Kerberos ticket refresh/netapp remount issues

Kevin Kwan (Work) kkwan at worldfinancialdesk.com
Fri Nov 1 16:33:22 CET 2013


Well, in our case we actually run the master/agent together on the same
machine (we want to avoid the bottleneck of having to run a single master) -
so the problem is that we just don't see the NFS service ticket manifest
itself, and in addition to that, we also don't seem to be able to renew the
NFS service ticket upon a kinit.

I am basically thinking that either it is an issue with the Debian jessie
build of kinit or it's some issue with the ONTAP OS inside the Netapp.  

Kevin Kwan
Senior Systems Administrator
World Financial Desk, LLC 
Tel 212 937 4025 • Fax 212 202 9600  • Mobile 646 964 7828 / 347 714 0983
This email (including any attachments) may contain confidential, proprietary
and privileged information.  Unauthorized disclosure or use is prohibited.
If you received this email in error, please notify the sender and delete
from your system

-----Original Message-----
From: Pierre Ossman [mailto:ossman at cendio.se] 
Sent: Thursday, October 31, 2013 6:30 AM
To: kkwan at worldfinancialdesk.com
Cc: thinlinc-technical at lists.cendio.se
Subject: Re: [Thinlinc-technical] Kerberos ticket refresh/netapp remount

On Tue, 29 Oct 2013 15:30:42 -0400
"Kevin Kwan \(Work\)" <kkwan at worldfinancialdesk.com> wrote:

> We notice that once we log in and receive the TGT (ticket granting 
> ticket) the service ticket for all consequent services used by that 
> session does not show up by spawning gnome-terminal and running klist.  
> I also do not see session reconnects refresh the initial TGT (extend the
expiration time).
> This seems to eventually cause netapp homedir mount errors which can 
> only be solved by a reboot.
> Is there any thing we could do to prevent this from happening?  Let me
> if you need VMs to repo this issue.   

What your describing seems very odd. If you see the TGT with klist, then
service tickets based on that should appear there as well.
Anything else sounds like some odd bug in kinit.

There could also be a case of confusion. ThinLinc does make things a bit
more complicated with regards to Kerberos and tickets. :)

When you run ThinLinc, you will on most installations get three TGT:s for a
single session:

 a) When ThinLinc makes an SSH connection to the master.
 b) When ThinLinc makes an SSH connection to the agent.
 c) When the session is started.

These three are normally three independent TGT:s in independent ticket
caches. The first two will not be used for anything as SSH is simply used as
a tunnel to the servers. It's the third one that will be used to access you
home directory, other services, etc.

The lifetime of these are also different:

 a) Very brief. Only as long as is needed to find an agent.
 b) As long as the client is connected.
 c) As long as the session is running.

Upon reconnects you will get fresh new a) and b) TGTs, but nothing will
happen to c).

Note that we do not explicitly start anything that refreshes tickets.
Although kinit looks basically the same everywhere, daemons to automatically
refresh tickets exist in many forms. So for now we've left that out and hope
that it gets handled by the desktop environment.

You can have a look in /opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh for the
included script that tries to make sure the session has a TGT.

Hopefully this clarifies things more than it confuses things. :)

Pierre Ossman           Software Development
Cendio AB		http://cendio.com
Teknikringen 8		http://twitter.com/ThinLinc
583 30 Linköping	http://facebook.com/ThinLinc
Phone: +46-13-214600	http://plus.google.com/112509906846170010689

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

More information about the Thinlinc-technical mailing list