Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"I may be synthetic, but I'm not stupid" -- the artificial person, from _Aliens_

devel / comp.protocols.kerberos / Re: Questions Regarding User Tokens

SubjectAuthor
o Re: Questions Regarding User TokensKen Hornstein

1
Re: Questions Regarding User Tokens

<mailman.67.1701996234.2263420.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=448&group=comp.protocols.kerberos#448

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: Questions Regarding User Tokens
Date: Thu, 07 Dec 2023 19:43:43 -0500
Organization: TNet Consulting
Lines: 41
Message-ID: <mailman.67.1701996234.2263420.kerberos@mit.edu>
References: <CAP2Q0J4L7eJ+ZD9mXchmQh69Bq=o8oGoXTfzxxy2hskSrgyBxA@mail.gmail.com>
<202312080043.3B80hh1r007744@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="2471"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: John Joshua Gutierrez <jjg9803@gmail.com>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=ceVAh8NP;
dkim=pass (2048-bit key,
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=WH/g6Npq
Authentication-Results: mit.edu; dmarc=pass (p=reject dis=none)
header.from=cmf.nrl.navy.mil
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.9.3.17
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1701996231; cv=pass;
b=QVcF21ZrQwzcaTE10hy1HUrTWougTKLBOXAYkkxqT+KxigVvWX1LOVQTUJOKiNRJtpIaWp04ZIX1vG7zPALs4t9fiyVlJO0jUyucLL9pCHzmLmEjyDCrCviKR5n1nfkD04PFT0LBdrZ+Ri+nWS3fQpS/Y1JEfEnwM6izkUh9S9ZFK9nGiDQJmzYrU8taoGiMwSiAyjvOMihj1IHnb/rRGesf1+ohd7zLvnUPb3BNTLvDl+gj1ar2sMi7FDpBc7cHY/FsXt650yfpxrW3poxTFg8dgLx5Se4Y+D1AW/Jq39MG00VnzDXRe+HcpOt1+RKhAT8Lc+E9QCeVe6FenVMuWg==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1701996231;
c=relaxed/relaxed; bh=BliwIGEfUjm51R1mEGKJb+KU2l2WFh/UruCOSR/JIDU=;
h=Message-ID:From:Subject:MIME-Version:Content-Type:Date;
b=a1jdekSNlnqg3KfFQBinb4MmlyIPyCF9yyNjChVl1HWO1MV/f7i4jHAAeMjg45OKrUcnWeeJzY8ja2s6kkIHw4JgR7O+pxuOZPD9QkPPagLFkbhzeVDRe52clUhCrl4hnFjEAOlCyuNC5hek0+jQe2YSrExfypylSyqynXNN8i2lrZh9y4pvkW8x5cDABnlQAYnPVvrQmrPFtIJJLOclkY5jfSEBakuYFy5TC01GL8gkueN1c8hhYVDR33X+e44Qtt/HtJF6+JzPD/axPEyUzCg3NaxJPlIhvqi5lZ1UFLKgxhXJ3GuBx9+vSjyK1514VPv5mh/GwP4OnaXlKjX5vQ==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=ceVAh8NP;
dkim=pass (2048-bit key;
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=WH/g6Npq
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=ceVAh8NP;
dkim=pass (2048-bit key;
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=WH/g6Npq
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=gY64eGzNyw2tjl0eIxghy3sidfg0ZeqOYDfnQj1BUe4/eAproCgDPE31OEMbw32ZVesJHPAQd7tNhSc8USMIIuP6CEMiGnQDe72242koEJJoxYoZ8+/mdBbkrGxJjWdfaaVPJEmoHjsXL7E1olT/hBXeqbfhj5DY+Yb27Km8bqbR5iCYc/pfI0+VUYRs6Rvw6wmNXe+C61lGJgB5XjM0Pa005TFHItbhFn8X7SqBD8tnpqvHv8PTBd7HshC9GBKQiwHzURiWzRWkpGkA+8ScPyGOKJpFAu8wY92xIekUTMn8n0+77BUZYCObGnxc/eTmsqQ+pqKmKFFDq8Yaa2e66w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=BliwIGEfUjm51R1mEGKJb+KU2l2WFh/UruCOSR/JIDU=;
b=dWB5R7csSMHkaBoCK9d7/KqW35yfaX4EXeCHK57NsE9ON1dRt2nUHJxNM1AVL0abeDki6CDV1HJ0wOqdiHxecfZ3ILB0OXCSgA4yRLDBTetlWur/EM4OcuTdFdsPjR4ZfDWFHu/YdZw/KoLU1sWaBJP40xaouohgzq0zHFctfmitoPoMGE+VM9VgJvSizaI9WWTKi+82cOKFUgCDpHJ+yI+A+13uD9GA1LmFha8n7IjghBhdQQf16MeMAC2/I4uZd5ap+i7RovijjvQAZZ56ed3u0eUz22rNB7LByyzMx4ttifKFFAGLhFtEb7645S59GstSy+cbXsM7bf9L/t/3Mw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.61.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=BliwIGEfUjm51R1mEGKJb+KU2l2WFh/UruCOSR/JIDU=;
b=ceVAh8NPPabxNVW0xIweMRozQCjrT5CAdiFL/4nPaGHtJPYLGKuq1MPwXiA/UE0t56b8K4vK+Sj69hZ3LgVSQtYgqW1Wua/m4hE/ZayZKn58Dw5FRngYebqAAj1FuBt4+meP7fqhyj7XJ2iXnINJhMYYu8iub9jNvn4HS8FaKrM=
Authentication-Results: spf=pass (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.61.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.61.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: date; s=s2.dkim; bh=BliwIGEfUjm51R1mEGKJb+KU2l2WFh/UruCOSR/JIDU=;
b=WH/g6Npqxk0mANTgdfCfvJ+qA88zMcCk63vk+xWlTUstki5OX5wBvcXdWowzTeEnmP4g
oqSNRF7fECd1+9fLX4YSKw68mm/5z3GmwMZMFrW6NPzaOHYuZjPOtva+VstcRGtPNJS2
vkaR8orFu7RQaPwJ3/N3ZV4OqW/ve0Znoidmw/u9kFE18u62sP00Lp2lWkGKxZKGqUTV
sIypNELzxtTFhL38Epzx5qt2J33uGiSLP/87jFhUHsM/3X/rnTUevW+2gPz+R4tAfoYA
KspI/Z+9Z5c7DdxgKu0ePBCkPHt7WqdYq94OdaCYOeI3i9F3N6BCdKNSo+qUGRit/RgD 5A==
In-Reply-To: <CAP2Q0J4L7eJ+ZD9mXchmQh69Bq=o8oGoXTfzxxy2hskSrgyBxA@mail.gmail.com>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS1PEPF00017095:EE_|SJ2PR01MB7933:EE_
X-MS-Office365-Filtering-Correlation-Id: a3845446-d5c0-4447-2f54-08dbf786bc78
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: RfvT/oFm/qZD7hqJTq31z0bnzGNu8140NS19vX9RBjf8uh+fYcjYKPXrs9XVMwzowKNnpiUmKWt50+R7+uWjVV044M1B/uzDJhQj8n/DWJiErwY2ZE/XfUhIcqHOLF2FgQN2k9WaGx8oH7SkuSIYeNQxEFtDKak4g3rRDwigV4KaRtI4vZrZPxxt2zuu35v73BQQf+YXtBNmQ54EOE7KnEkrTX7vkhwzrNXs1XrTUO7oYOx2H4aebXLTKQ/fgiVW/IaXGl4zcsaoYF0flta9546mSigR+MHSIZRWqii1IvBiS1Ku+nd7g1oME/AFLfFjdJGjFdN6nJ38ig2/GBu8M52Sw/AJnzeCS1AXzHlcRx8rhy5Ww7VKesO03kBgMZnsEotITYHPSLNWXuv9Zbifx3WKThRuQObxvQPucvPcjAff+dnqh/I6Qum1pKtocHqxMGveWRc0UIWuMW9r5tKPt/6pKrnPYNOz8z27I6cInhc5sN/3XUENUmSvcl/xq9wYhxWeGvjkx18dDElEa6o74Znwd/6EtvL5BKm/GNfAT5GbvGtWMPw7zi9vcKEcS/TtX4fVW3Q6ZH0E79u4oKsi84hB5y1WU4BBJbPIsUlf5wPr3hjAy3wbExj0ro8osOMs1gQOuLiR6kobPr1OBbTOyw==
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(13230031)(4636009)(136003)(39860400002)(396003)(376002)(346002)(451199024)(48200799006)(64100799003)(61400799012)(26005)(1076003)(956004)(426003)(316002)(336012)(786003)(4326008)(6862004)(498600001)(70586007)(68406010)(356005)(3480700007)(7636003)(8676002)(83380400001)(5660300002)(86362001)(2906002);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Dec 2023 00:43:46.0853 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a3845446-d5c0-4447-2f54-08dbf786bc78
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DS1PEPF00017095.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ2PR01MB7933
X-OriginatorOrg: mitprod.onmicrosoft.com
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202312080043.3B80hh1r007744@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <CAP2Q0J4L7eJ+ZD9mXchmQh69Bq=o8oGoXTfzxxy2hskSrgyBxA@mail.gmail.com>
 by: Ken Hornstein - Fri, 8 Dec 2023 00:43 UTC

> - How do we extend ticket lifetime to 14 days?
> - We have tried to set the ticket lifetime to 14 days in krb5.conf
> [realm] but it caps out to one day

First, assuming you're talking about the "ticket_lifetime" parameter,
that actually goes in the [libdefaults] stanza. You can also specify the
lifetime parameter on the command line to kinit using the "-l" option
and that might be the most useful to start out during testing.

Where you're probably running into issues is that the ticket lifetime
is the MINIMUM of: the requested lifetime (via the -l option or the
ticket_lifetime parameter), the maximum lifetime set on the client
principal, and the maximum lifetime set on the service principal. So
you need to modify the maximum lifetime on all of your clients AND
all of your services. You can do this with the "modprinc -maxlife"
command inside of kadmin. To even test this out with one user you'd
need to change that user's maximum lifetime AND the lifetime of the TGS
principal (krbtgt/REALM@REALM).

> - How do we extend renewable ticket lifetime to 30 days?
> - We set the variable to 30 days but it only caps out to 14 days.

See above, the same rules apply (with the exception that you're use
the "-maxrenewlife" option to modprinc).

> - Kinit would sometimes give us an expiration date from the past

That maybe sounds like a clock synchronization problem? If you could
give us details there, might be helpful.

> - Kinit needs to be done on every single node you want to use. If, no
> kinit then no access to NFS home directory.

Normally this is done at login time automatically, and when you log into
a remote system Kerberos tickets are forwarded.

If you are using a batch processing system then that is trickier; there
are some tricks there, but none of them are great if you don't have
a Kerberos aware queueing system.

--Ken

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor