[Thinlinc-technical] Kerberos ticket refresh/netapp remount issues

Pierre Ossman ossman at cendio.se
Thu Oct 31 11:29:41 CET 2013


On Tue, 29 Oct 2013 15:30:42 -0400
"Kevin Kwan \(Work\)" <kkwan at worldfinancialdesk.com> wrote:

> We notice that once we log in and receive the TGT (ticket granting ticket)
> the service ticket for all consequent services used by that session does not
> show up by spawning gnome-terminal and running klist.  I also do not see
> session reconnects refresh the initial TGT (extend the expiration time).
> This seems to eventually cause netapp homedir mount errors which can only be
> solved by a reboot.
> 
> Is there any thing we could do to prevent this from happening?  Let me know
> if you need VMs to repo this issue.   

What your describing seems very odd. If you see the TGT with klist,
then service tickets based on that should appear there as well.
Anything else sounds like some odd bug in kinit.

There could also be a case of confusion. ThinLinc does make things a
bit more complicated with regards to Kerberos and tickets. :)

When you run ThinLinc, you will on most installations get three TGT:s
for a single session:

 a) When ThinLinc makes an SSH connection to the master.
 b) When ThinLinc makes an SSH connection to the agent.
 c) When the session is started.

These three are normally three independent TGT:s in independent ticket
caches. The first two will not be used for anything as SSH is simply
used as a tunnel to the servers. It's the third one that will be used
to access you home directory, other services, etc.

The lifetime of these are also different:

 a) Very brief. Only as long as is needed to find an agent.
 b) As long as the client is connected.
 c) As long as the session is running.

Upon reconnects you will get fresh new a) and b) TGTs, but nothing will
happen to c).

Note that we do not explicitly start anything that refreshes tickets.
Although kinit looks basically the same everywhere, daemons to
automatically refresh tickets exist in many forms. So for now we've
left that out and hope that it gets handled by the desktop environment.

You can have a look in /opt/thinlinc/etc/xstartup.d/01-tl-kinit.sh for
the included script that tries to make sure the session has a TGT.


Hopefully this clarifies things more than it confuses things. :)


Rgds
-- 
Pierre Ossman           Software Development
Cendio AB		http://cendio.com
Teknikringen 8		http://twitter.com/ThinLinc
583 30 Linköping	http://facebook.com/ThinLinc
Phone: +46-13-214600	http://plus.google.com/112509906846170010689

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://lists.cendio.se/pipermail/thinlinc-technical/attachments/20131031/c3a2a0dc/attachment-0005.sig>


More information about the Thinlinc-technical mailing list