Kerberos is an authentication protocol which uses tickets to authenticate users (and computers). You automatically get a ticket when you log in with your password on a TU Delft installed computer. You can use this ticket to authenticate yourself without password when connecting to other computers or accessing your files. To protect you from misuse, the ticket expires after 10 hours or less (even when you're still logged in).
1. File access
Your Linux and Windows home directories and the Group and Bulk shares are located on network fileservers, which allows you to access your files from all TU Delft installed computers. Kerberos authentication is used to enable access to, or protect, your files. Without a valid Kerberos ticket (e.g. when the ticket has expired) you will not be able to access your files but instead you will receive a 'Permission denied' error.
2. Expiration and Renewal of Kerberos Tickets
Kerberos tickets have a limited valid lifetime (of up to 10 hours) to reduce the risk of abuse, even when you stay logged in. If your tickets expire, you will receive a
Permission Denied error when you try to access your files and a password prompt when you try to connect to another computer. When you want your program to be able to access your files for longer than the valid ticket lifetime, you'll have to renew your ticket (repeatedly) until your program is done. Kerberos tickets can be renewed up to a maximum renewable life period of 7 days (again to reduce the risk of abuse).
klist -5 lists your cached Kerberos tickets together with their expiration time and maximum renewal time:
[netid@server ~]$ klist -5 Ticket cache: FILE:/tmp/krb5cc_uid_random Default principal: netid@TUDELFT.NET Valid starting Expires Service principal 01/01/01 00:00:00 01/01/01 10:00:00 krbtgt/TUDELFT.NET@TUDELFT.NET renew until 01/08/01 00:00:00
- The Kerberos tickets that have been issued to you are stored in a ticket cache file. You can have multiple ticket cache files on the same computer (from different connections, for example) with different tickets and ticket expiration times. Some ticket cache files are automatically removed when you logout. Tip: make sure that you renew the tickets in the right ticket cache file (see the example for
- Your identity.
- The identity of services that you have gotten tickets for. You always need a Kerberos ticket-granting ticket (
krbtgt) in order to obtain other tickets for specific services like accessing files (
nfs) or connecting to computers (
- Your ticket is only valid between these times (this period is called the valid lifetime). After this time you will not be able to use the service nor automatically renew the ticket (without password).
- Your ticket can only be renewed without password up to this time. After this time you will have to obtain a new ticket using your password.
2.1. Renewing Kerberos tickets
If you have a valid Kerberos krbtgt ticket, you can renew it at any time (until it expires) by running the command
[netid@server ~]$ kinit -R [netid@server ~]$ klist -5 Ticket cache: FILE:/tmp/krb5cc_uid_random Default principal: netid@TUDELFT.NET Valid starting Expires Service principal 01/01/01 01:00:00 01/01/01 11:00:00 krbtgt/TUDELFT.NET@TUDELFT.NET renew until 01/08/01 00:00:00
When the krbtgt ticket has expired or reached it's
renew until time, you will have to obtain a new ticket by running
kinit -r 7d (note the difference in case for the
r) and authenticating with your password.
[netid@server ~]$ kinit -r 7d Password for netid@TUDELFT.NET: [netid@server ~]$ klist -5 Ticket cache: FILE:/tmp/krb5cc_uid_random Default principal: netid@TUDELFT.NET Valid starting Expires Service principal 01/01/01 11:00:00 01/01/01 21:00:00 krbtgt/TUDELFT.NET@TUDELFT.NET renew until 01/08/01 11:00:00
On the TU Delft Linux desktops your Kerberos ticket is refreshed (i.e. replaced by a new ticket) automatically every time you enter your password for unlocking the screen saver. Tip: don't disable the screen saver password lock.
On remote computers you have to manually renew your tickets before they expire.
On the compute servers, the
screen program has been modified to allow jobs to run unattended for up to 7 days. It creates a private ticket cache (to prevent the cache from being destroyed at logout) and automatically renews your ticket up to the maximum renewable life. For example, start MATLAB in Screen with
screen matlab (the order is important!).
[netid@server ~]$ screen matlab Warning: No display specified. You will not be able to display graphics on the screen. < M A T L A B (R) > Copyright 1984-2010 The MathWorks, Inc. Version 18.104.22.1684 (R2010b) 64-bit (glnxa64) August 16, 2010 To get started, type one of these: helpwin, helpdesk, or demo. For product information, visit www.mathworks.com. >>
For longer jobs you have to manually obtain a new ticket at least every 7 days by running
kinit -r 7d from within screen (so you use the specific ticket cache file that
screen is using):
- connect to screen (
- create a new window (
kinit -r 7d,
- exit the window (
- detach from screen (
[netid@server ~]$ kinit -r 7d Password for netid@TUDELFT.NET: [netid@server ~]$ klist -5 Ticket cache: FILE:/tmp/krb5cc_uid_private Default principal: netid@TUDELFT.NET Valid starting Expires Service principal 01/08/01 09:00:00 01/08/01 19:00:00 krbtgt/TUDELFT.NET@TUDELFT.NET renew until 01/15/01 09:00:00 [netid@server ~]$ exit
Tip: Use a repeating reminder (twice a week) in your agenda so you don't forget.
Important: when the end of the renewable life is reached, your tickets expire and your program(s) will return
Permission denied errors when trying to access your files. Your program(s) will not be terminated automatically; you still have to terminate the program(s) yourself.
Extra functionality can be provided by the
krenew programs. On most computers these are not available by default but can be installed (ask Robbert).