Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

If A = B and B = C, then A = C, except where void or prohibited by law. -- Roy Santoro

devel / comp.protocols.kerberos / Questions Regarding User Tokens

SubjectAuthor
o Questions Regarding User TokensJohn Joshua Gutierrez

1
Questions Regarding User Tokens

<mailman.66.1701992552.2263420.kerberos@mit.edu>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=447&group=comp.protocols.kerberos#447

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: jjg9803@gmail.com (John Joshua Gutierrez)
Newsgroups: comp.protocols.kerberos
Subject: Questions Regarding User Tokens
Date: Thu, 7 Dec 2023 15:34:53 -0800
Organization: TNet Consulting
Lines: 25
Message-ID: <mailman.66.1701992552.2263420.kerberos@mit.edu>
References: <CAP2Q0J4L7eJ+ZD9mXchmQh69Bq=o8oGoXTfzxxy2hskSrgyBxA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="24447"; mail-complaints-to="newsmaster@tnetconsulting.net"
To: kerberos@mit.edu
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=CUTz9ewv;
dkim=pass (2048-bit key,
unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
header.s=20230601 header.b=bs01dCMy
Authentication-Results: mit.edu;
dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.9.3.18
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1701992109; cv=pass;
b=NF02H8+eFsAUE68vISoduMRqTUBC7oCypoTbFU2K3+eM2b28UqQJrP9YK5/I6hiGJToY50ALRDVhsBVUj3V7/iic1+YmhshVrkXWvHyHRbCkmdUITxEP2JRV9LPlaRFpteO3BQCfXoaOyDYMqZDXIfuPLHMXX4y2SkfrckNskeip7s+c6ejTcUSwtJ28M0/oj5xSWX0Zp4gckU5cr0uOF+n/INexG8GoyjVE5JxC2JsD5Uhri9CYtZzmWkbQmWxmxO9+tBgc7myOHKzWyBjmvoPNwwy+nmeFvxFdKffnmc7SeS0U/27KN/O0OsjSqR8JEgp4/Ii8NO8rfaFcc7uqyA==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1701992109;
c=relaxed/relaxed; bh=rutoyyFfIwzJaPfUOZ/fou3qo2cAAFU3VVAmsS9jFuQ=;
h=MIME-Version:From:Date:Message-ID:Subject:Content-Type;
b=HF6n2t4An5scFkO54Tk6ZQ4qTGM7rhXHWel9lcEeZ+v2juMsBjG+1lrmHCxlw7+gf4pnGUmnD2BIEIT1g0XyWpPAL+CR1cVHhtjOVT72kObfJ2u4ZEkkL/cXduBZiydYRFBY7b2GCeZ6kZ4boJV2yWvXIXc6xBlD/Qt7seiy+c3CSZ2TxgYa22kntvkKnQ17H7okHjB1Ug8qmW77SQviXAGMveX2kyHuw0WcVHXUtsptNrfgl/CkCpstps3fX4ZlHIFegdxe4jnpYMXpxM4DILYqPKNSiix9D322hQpegTvQ4SqGvfWzl/JwO6bXWkuXDHjFL24k/wrSFnmS2jxVqg==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=CUTz9ewv;
dkim=pass (2048-bit key;
unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
header.s=20230601 header.b=bs01dCMy
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=CUTz9ewv;
dkim=pass (2048-bit key;
unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
header.s=20230601 header.b=bs01dCMy
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=eFr7wRLIKLhs8CPNzyExhCSFrPSEDjAZqhYYlISzjEVBj+3a/j44olp4qYBymSjdi6tMXMYb1epevP5B9R0j62rWmbFaulNzEMV2uf5R21aeejpSnPkseHvg3FwRa+wJWuk3Lo2PX38kHW8QwNm4BvZ59sBZLDSsBi5FONY1bOQ7nHRG2Zo78QPnuL1gbiyKzO226yfJ1CG8a8B+IaAo213OgrurN7I7I7Ho74fhL5ZZwWByWOHmPHGqzsHnf1/WavpinoBRiv+9mmJ7nMxBGnNIpYIfPcqCgu81KOdK9p3Stws9Nx0vBURo/uOswb7ea2dd3j38rinZEpEGZM2HSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=rutoyyFfIwzJaPfUOZ/fou3qo2cAAFU3VVAmsS9jFuQ=;
b=hZ5t8eulTzlPIzg9ljyFLD0GdZUe+G6d5Ao5+rCJZiO1/54w4w3C13TCxaMEB6zVKN2u0AFG7gMLjv4q7TQFcwH1roYmp1mpouhQ9BJRrCsYAdTT++N5rYRFRX8yRkfxbnfh3sOWZLJMxFN8W7WISARhLTZ2YkbbUQ0TWM8/26LrBEBUEpOLBQhYPK/I7JW2WmymjLmrh+a/kyazudO3szmLyKEB5+QQHkuFlgDUoguAi8jxiblpddzK8a+/nGFft7QnwLJVSIijS9Zv+B1Uo/iAPFPl19mFGLQNk0qg0JvQ7eunUxBBL9VyBtsmrfITpaU2qM/hFUoCXBbZKWbJnA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.167.49) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=rutoyyFfIwzJaPfUOZ/fou3qo2cAAFU3VVAmsS9jFuQ=;
b=CUTz9ewvdo49HrEYj8DxSVboOnyLA+UpG8bHOyvbG0oQ5ZaJ9wo2hKjuC5uSz/MTEq04EN8uv9Y+opMU5VLia6tzBjA4IDXrdWzqtJUMYUFxchCX5XhtV6Qnpak1R+53ruEJYqw4euMsb8Dpg25034fXjG6hcigfNA1eUGSL8/Q=
Authentication-Results: spf=pass (sender IP is 209.85.167.49)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.167.49 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.167.49; helo=mail-lf1-f49.google.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1701992105; x=1702596905; darn=mit.edu;
h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
:date:message-id:reply-to;
bh=rutoyyFfIwzJaPfUOZ/fou3qo2cAAFU3VVAmsS9jFuQ=;
b=bs01dCMy3hQoMLB0j1O66seqfkKRctjuufHXi/KUVE1kjta0abwr2KX8Iq2Q8Nksd5
olywh2kOR9AT/D+UZFJC0mt5CjhCE1q2JDOje4zsZJXyufl4qBo4lq1eN0vMphF5b9zZ
JpHG+IYF0HefBzsHfWUkhFYlOMsHaFgcoasz2XEc2KiUhBSUm/lInrMJL8OANAgQsnjw
Gmaj9S8cd7phcVTNTTrQHOynSpug1EiWDBSJB5aPIRpQ0I9HsguFg9xD+bSX1H2cMBgc
vjGg0YDYUbATDOaPu5p5cRMsqUOF1VGKyN4VRGibDjjE0gxmG3Cfg7tiPYOXwlvwClXE
TA5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1701992105; x=1702596905;
h=to:subject:message-id:date:from:mime-version:x-gm-message-state
:from:to:cc:subject:date:message-id:reply-to;
bh=rutoyyFfIwzJaPfUOZ/fou3qo2cAAFU3VVAmsS9jFuQ=;
b=AL0FI08kzleorV2fzzXx2o33iUWzeAagsTzzG8p8E0YyHtX9C4MrDvq3ZruWP9TPK/
Tg/HY6J6odq+YPhVLgoTouWv0Q51h/4k9ov9o0HSFt5WZlPkAm2vrRA1JWeChwRpuvve
uaEJcEw4YZ5k6/Uu0+FAcvawEIUCJrdLwJ7TN2sSi7z7RdhPlDCBaUHACDNFFh12fVoG
UNT/LyyTuUcu1emhZHr168I1xtcmoELQuymfl5N3CnxBe9vRnJfgs4suLwVKII7H/C0Q
VoqHij7ktmE4I4NG5j12M3VuaMJijfYqkrDOVmQJw2wUFpijgfd7Yz8fNR99JLPvCaCH
i+tQ==
X-Gm-Message-State: AOJu0YxgaJwBmXrc2ckmBUlKhsO4Sw3QIEccru5hKkqXsFTZMr6RldHE
MUeJicCb8KrcecvEl5mf6s7mIHV1/p/KEHKKALxshsW6kGA=
X-Google-Smtp-Source: AGHT+IG35AjR+h7/Ap3JJZ4ZhAQcfGbYTIC7l5sQYB9KVKodSKGbBuWniodq3Dmq/mFaURCUpJnTxE3F7ghorUHLbJU=
X-Received: by 2002:a19:e049:0:b0:50b:d763:fe52 with SMTP id
g9-20020a19e049000000b0050bd763fe52mr1796006lfj.109.1701992104566; Thu, 07
Dec 2023 15:35:04 -0800 (PST)
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000E9D2:EE_|DM8PR01MB7173:EE_
X-MS-Office365-Filtering-Correlation-Id: f7f70a57-1732-40f2-be06-08dbf77d24f8
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 2Wh8EGWYwLbdwwLzbqfC+P6YLQXy3xFDW2QsdV3o2QwjILGWtAJE4PycivNHFSK3QS/YJK4OQDR8L8saoQQkfbgRWLMpbawCzm4Eaz9Cwe6HsQvW2pID84NE9BaHPYvnEIMqjbnWhHZXgWujFHeZefRuUCgPPUp87J/ANuOW5V6x0LrkVIBKCVVcyS34w+DJjhHiQDn04oOxopsIftghlqRoeXbzMUPlD6LXOLMz9B/kkRqnrwGEGCROzmyP7oInrScTJIURFR7GjObJ4Fyimxm/7FeT3jx89sAyL+RX41cfXBZ9ve4aoZDZmsCAwg3rC6wlqUm0bAsNCHTnkG8IaxM1B2RPmdsUHF+MWnzJu7FgtibIOI8bKQ5pStdGSj66quWoYZRYUTYxsiW6QHAP4cfOqIMx9QLGeBNeQb4iqZxJdgnj+Qr97JjYy0/u5mU0JFd+HL7cCQTZCKs+I0izfqALg6g5U4KQDMeJZewGTvLfdQXCnAiLqNZUUIvHunnJBHZW/orZQJcEZ5w/GVZQWeHtszXZtiGjM1fDjASUEuYAGb6H2miB9TC7RnpN+BtCsPCcNT/bVuz7Ouo8xjqmkegGjP5ODPSCwRjHwUJaDwYDa1j6P3aRG6ZVMuplJTPNg3jU5I+B7z5Q1hLYR/9OJXyv54M6HRheqsZe5uIimY4IcVWQbgpK1hPuTn+eLrCA
X-Forefront-Antispam-Report: CIP:209.85.167.49; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-lf1-f49.google.com; PTR:mail-lf1-f49.google.com;
CAT:NONE;
SFS:(13230031)(4636009)(376002)(396003)(39860400002)(346002)(136003)(84050400002)(64100799003)(48200799006)(451199024)(61400799012)(33964004)(6666004)(73392003)(83380400001)(786003)(336012)(26005)(82202003)(316002)(68406010)(42186006)(70586007)(55446002)(86362001)(498600001)(34206002)(8676002)(76482006)(3480700007)(7596003)(7636003)(356005)(5660300002)(2906002)(36394005);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2023 23:35:06.6311 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: f7f70a57-1732-40f2-be06-08dbf77d24f8
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000E9D2.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR01MB7173
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Mailman-Approved-At: Thu, 07 Dec 2023 18:42:30 -0500
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAP2Q0J4L7eJ+ZD9mXchmQh69Bq=o8oGoXTfzxxy2hskSrgyBxA@mail.gmail.com>
 by: John Joshua Gutierre - Thu, 7 Dec 2023 23:34 UTC

Hi Kerberos Team,

My name is John Gutierrez and I work with Deep Apple Therapeutics. We have
a small cluster running Kerberos and would like guidance on a couple of
issues. We have been experiencing difficulty with user authentication and
keeping tickets alive to run processes for more than 7 days without getting
kicked out. We are not experts of Kerberos and we probably have very poor
configuration. Here are our questions:

- How do we extend ticket lifetime to 14 days?
- We have tried to set the ticket lifetime to 14 days in krb5.conf
[realm] but it caps out to one day
- How do we extend renewable ticket lifetime to 30 days?
- We set the variable to 30 days but it only caps out to 14 days.
- Kinit would sometimes give us an expiration date from the past
- Kinit needs to be done on every single node you want to use. If, no
kinit then no access to NFS home directory.

We currently work around the issue of token expiration by using a script
that kinits with one day of lifetime and 14 days of renewal and doing a
cronjob every 12 hours to renew the token on every node in our tiny
cluster. Please advise.

Best,
John

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor