Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Lack of skill dictates economy of style. -- Joey Ramone

devel / comp.protocols.kerberos / Re: Questions Regarding User Tokens

SubjectAuthor
o Re: Questions Regarding User TokensJohn Joshua Gutierrez

1
Re: Questions Regarding User Tokens

<mailman.69.1702016142.2263420.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=450&group=comp.protocols.kerberos#450

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: jjg9...@gmail.com (John Joshua Gutierrez)
Newsgroups: comp.protocols.kerberos
Subject: Re: Questions Regarding User Tokens
Date: Thu, 7 Dec 2023 17:18:53 -0800
Organization: TNet Consulting
Lines: 64
Message-ID: <mailman.69.1702016142.2263420.kerberos@mit.edu>
References: <CAP2Q0J4L7eJ+ZD9mXchmQh69Bq=o8oGoXTfzxxy2hskSrgyBxA@mail.gmail.com>
<202312080043.3B80hh1r007744@hedwig.cmf.nrl.navy.mil>
<CAP2Q0J58Dc0Qo3+xnk4mm=Dz_-ETWBoi6aGdUK6fbpDycWhE5A@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="25558"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=R2ExoS/n;
dkim=pass (2048-bit key,
unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
header.s=20230601 header.b=DuAvQO/j
Authentication-Results: mit.edu;
dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: mit.edu; arc=pass smtp.remote-ip=18.7.73.15
ARC-Seal: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1701998354; cv=pass;
b=LEXTQiF8yXfr7giT/TbwqQtyuOyoOIlRNaxI8F6BY2UsLQ/P8jbz8DDMkOvRdDt09hSX7vmOD1KMlXK7B5KS96Rpq7kummQdnzTw73g0wAZgn4WlDYoH0ElL+rf9+LkJJxO2RPJJ8YRolYjso9jv03+Pxh4xiQqkIFzAcaDhhHpo2Y8ihLD+vm5DRYuvYc5EnJ3ZfQk9fRa7flXTlTkIxyYCQw3kUnMkGWH1yDBW31hzakMMcTTQK0sOhk6hnh8xwH5knNGqyzYEJHUGfYwTQP/GRqz6TpkaJqmiIb5HZDW3x4/aXmpavAUtJRhmBKPAOTM54J3dI7rBAJgcaWTqgA==
ARC-Message-Signature: i=2; a=rsa-sha256; d=mit.edu; s=arc; t=1701998354;
c=relaxed/relaxed; bh=4IK5PiHnANHt6CQREeAryp6W437j4FuyTl4oHDWuphE=;
h=MIME-Version:From:Date:Message-ID:Subject:Content-Type;
b=MC1VET8GY/dq3YvhEwOUL51yMl0T8B3hRLGYOApHRW18CWjT3QZoe3vVnCqZS4e0ogz3mpuSjUB/QDWy8MatJdPWuP8LEU5JBJZ+SYFh+Ls16g0EXr65/spoHYPtOpjrIYhpYnaV5IA7hysfB4gNLTTrJyoCnHbw/DdxjT/BWGNMU/Rq2xOcb3Ky6DfAfkNv4ZAmwodyCS8LVRQPvncbRu80CnBaqyHJLcq5QqKjIwVuLk3qQYv3b+DfSZc/yr9tKSIzlqQtbOpvcIkdazWkDDnjrMLUjGAnQj35IVGgDQgbVaSMpTR1bUzP1rKCS/pMp+b3fJuJk0EwTIUOCgUoHg==
ARC-Authentication-Results: i=2; mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=R2ExoS/n;
dkim=pass (2048-bit key;
unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
header.s=20230601 header.b=DuAvQO/j
Authentication-Results: mit.edu; dkim=pass (1024-bit key;
unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=R2ExoS/n;
dkim=pass (2048-bit key;
unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
header.s=20230601 header.b=DuAvQO/j
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=QsswbebVkyuz1zVL+bXrgqbpjKJOdLxd1WOBLsRou5ZqLjf0kOehgnB39qyt8U2PlXeJFneVgPajPE0yO/2I8736zFgZQUd44hZR0of6bGf4CrLwBl2f7vr/aA/e1cq/Hhgk4DkeH6PCl6aNnr5rEK2LaVOvUp3l+KzYmUwCv8V0CyRxElEwIN9XH5T5xgMXvxR6nkeSbFS8RVam2sQZMHgI1pHL5jTXJcbXPpLdM29EvgrmBRB6cB7QreYhIfaAjovviJy6spo4hcWJkUeobMYIVUJpNPGbfIb0UPy1HGDziHF2pQPs/Du5NhfqKv1U3cQ2pnQW7xaWiqDVI6XRkg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=4IK5PiHnANHt6CQREeAryp6W437j4FuyTl4oHDWuphE=;
b=YR2mqTSG5l7YB2KcSTmItVJHb8xdVsS43apajPkh8gmDjBFtFWrj79XTD+7QMGf9X6ACRWYq2B32YbfJ0dzSKT5DAMoBGQF9AnBt6UBRb1wyZ5yU6c582zcFH/Y2I2LpFVupPSo8Qq5u6SwkbCcFid+2VIcpAq8dq3imANzdoaOSegvec4lLkdrMGoKGdFpKBOrh8JWgR8s2wbI9zlcdAsCJPvTWEACrbTE7oret+t5ezwlrb11GlXEQ9zs4GVLIXuc4o4gEwZDn9X71z8LaV9q2WbNlOYHazdgPl5bRfwFjkD35H1+EWEhjwufAQi1YPB3v+1eZhJeKskBxCuwlyw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
209.85.208.172) smtp.rcpttodomain=mit.edu smtp.mailfrom=gmail.com; dmarc=pass
(p=none sp=quarantine pct=100) action=none header.from=gmail.com; dkim=pass
(signature was verified) header.d=gmail.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=4IK5PiHnANHt6CQREeAryp6W437j4FuyTl4oHDWuphE=;
b=R2ExoS/noY80tRKuFBdZpVYJwb8JoYBu4Lbn+3/mt5Eocv/iCXC5LyqrsofVGWEfqoQThk5zUBv6NkDauIa78YFeHPh/LTYYV+qqiHrXAxRLTpvVEGb8piAI2ktg2DGRzeJ+loEXygPuAPjI9ZMSxBUj9QjkDFEr4vBsqMREQBA=
Authentication-Results: spf=pass (sender IP is 209.85.208.172)
smtp.mailfrom=gmail.com; dkim=pass (signature was verified)
header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;
Received-SPF: Pass (protection.outlook.com: domain of gmail.com designates
209.85.208.172 as permitted sender) receiver=protection.outlook.com;
client-ip=209.85.208.172; helo=mail-lj1-f172.google.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1701998345; x=1702603145; darn=mit.edu;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:from:to:cc:subject:date:message-id:reply-to;
bh=4IK5PiHnANHt6CQREeAryp6W437j4FuyTl4oHDWuphE=;
b=DuAvQO/jgcX5cYQ6k5LSYtp0Va//JkEU5zwNPOmJLQ4Js5QGvHhdJOVpIfXbv+obOE
QR3dG+DyQMgcmcofI4Y5m2XAwaH83xzgC24sKxHsQq6jDOacl/AFHbZydPLH1g/5hvt2
rzyOoPag2zwvrw7QBxzoToIRG8OaPbCRr/IYdoe05CcOpw9GJ1zaUOrhTZwnR9tDHxpR
XJ7USbQ9jp4uHtgsjTmVDdh1iLk1uKTQCIOmPzigLZ7Jq2hfJuZM3GJIPwBYdn1pWGkB
yM+6h6TXMklPr0dBBTDJ9m01R7P8u8E4NfGeF1u1EwjAcv3Q0vHpdIa55QFhDZCy4oQo
ml6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1701998345; x=1702603145;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=4IK5PiHnANHt6CQREeAryp6W437j4FuyTl4oHDWuphE=;
b=ujaGPBCVLtCPXHHGjpY1r1+4C+R1S2v/wJtz7/R2mKgKX0xaBYGaQ5nhjjfb+6amuc
VlHF4mHoGeZR+kx+2Y9fBj7cX34yJ7fC2U4qhEDD2U5IeOKd1JUu0fYuP7+1g8GRYsA3
41aGttz0LRSIpkGZQHSOhfV1EuHJZfN+kXoR2RNZFlihoAqgKhncNMjjYwqmhF1Mrh4U
hmfG4WMqOw8WZhZhiG7TH3L0PyPBvPI6VijdWMmqBTa+VUdaW8ZsQaUoljQPvuhDUYUr
Zwy+2CXW0HF4vsNPLdUl99cHWn5khVN7gDC4L3T6w7qN33SDqQhWYnrUmreYdag+iVY5
RHdw==
X-Gm-Message-State: AOJu0YzQ29mOnh8K9Xeg/Lm7J0nJklopZDKKiGMNO6mYwCFbbgjhMXmd
zHdDJhGv7aygGGcfxCSZJdbhJv1YGhIYCzzoCJaP8pN6lQU=
X-Google-Smtp-Source: AGHT+IHXRyV4jPzg/B/1otaNJ+OnlIgffviYDdm/V163AjV0l0wxqY4GUcZjVVAtOrewf2vnTvn/4JD9jPDWh33Ntfs=
X-Received: by 2002:ac2:5a5a:0:b0:50b:feb3:d065 with SMTP id
r26-20020ac25a5a000000b0050bfeb3d065mr961608lfn.25.1701998345047; Thu, 07 Dec
2023 17:19:05 -0800 (PST)
In-Reply-To: <202312080043.3B80hh1r007744@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS3PEPF000099E2:EE_|PH0PR01MB6408:EE_
X-MS-Office365-Filtering-Correlation-Id: 51eeb78a-d986-48ac-eb24-08dbf78bac60
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: /9VPNeSG1HmJ4k+JtDZYOZg3+ADP2Xvb17iSva9scZ6C4TvMtuE3fF2QAQKezDFzRw/u2iYEiONT85amK3aMI/+bk13+m4UupTARxi4CI512CrCPgyP8zbh0984kGTHfvBzlor3NH9DCbtJ5qGizRcXZ/L8Y8VkRAHwwJ8kg6A7uFsfhRYZMyhK1xP/Mk8sHhEY1DsbopXohEtgbD+Qflw70Dgqm9rsRmqhp7ZuD5w8IUu0soyEIhCZOKnBw5e2i+xwDDGK0OXWLLmCpdOJvm6wni16FpIJz4nf83a9rVLzJfRD8ZMOfbB9Dbyf/bE830AzLJ7b4UrRQIEmC5H23Jd/9BKasDxAdIzoccW74BTeta744tQVS4iHQlkr33rfhBspnawiBSR674S+e4HxSV/MNQ51zATXK7BckOnLTL1ub3DAkqPcIntgTgqAqOYRNG5LQP8xwNqinEuPq7rLyf/SpFstjVnBu2/UFl0JBAVSn3BJhBafiwLNASOznJ+nsZQZo8pzTmpYnd0LiTv4lY/BPVMg3/ABBB7I6cxOqZTYpxtRtc9JboLF8NhM9wWcP05ZAj1OUIyxUGSfP6jsUqUn4nPLmJlxBjKWNBiuGI/5fgTBqWc/LhmSm1lG5Lc4K6bBKITZQ2yWVsIhm+MN2bw==
X-Forefront-Antispam-Report: CIP:209.85.208.172; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mail-lj1-f172.google.com; PTR:mail-lj1-f172.google.com;
CAT:NONE;
SFS:(13230031)(4636009)(39860400002)(346002)(376002)(136003)(396003)(84050400002)(64100799003)(48200799006)(451199024)(61400799012)(2906002)(8676002)(6862004)(4326008)(5660300002)(316002)(7596003)(356005)(7636003)(68406010)(70586007)(76482006)(786003)(55446002)(42186006)(86362001)(3480700007)(498600001)(26005)(33964004)(73392003)(53546011)(6666004)(82202003)(336012)(83380400001);
DIR:OUT; SFP:1102;
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Dec 2023 01:19:06.7448 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 51eeb78a-d986-48ac-eb24-08dbf78bac60
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: DS3PEPF000099E2.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR01MB6408
X-OriginatorOrg: mitprod.onmicrosoft.com
X-Mailman-Approved-At: Fri, 08 Dec 2023 01:15:41 -0500
X-Content-Filtered-By: Mailman/MimeDel 2.1.34
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <CAP2Q0J58Dc0Qo3+xnk4mm=Dz_-ETWBoi6aGdUK6fbpDycWhE5A@mail.gmail.com>
X-Mailman-Original-References: <CAP2Q0J4L7eJ+ZD9mXchmQh69Bq=o8oGoXTfzxxy2hskSrgyBxA@mail.gmail.com>
<202312080043.3B80hh1r007744@hedwig.cmf.nrl.navy.mil>
 by: John Joshua Gutierre - Fri, 8 Dec 2023 01:18 UTC

Hi Ken,

Thank you so much for the fast reply! I will try my best to get through the
tips you've given me and hopefully I fix something.

1. For the kinit -l and -r, I will get started on changing everything to be
the same thing. When I finish, I will email back to you if I was successful
and if not I will send screenshots of the configs.

2. For the time problem, I just finished syncing all the machines to one
local NTP Server. I am using chronyd and we are running Rocky Linux 8.
Hopefully that fixes that problem.

3. Yes, we unfortunately are using a scheduler and its SLURM. Would this
question now go to SLURM Developers or still to Kerberos or both?

Best,
John

On Thu, Dec 7, 2023 at 4:43 PM Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:

> > - How do we extend ticket lifetime to 14 days?
> > - We have tried to set the ticket lifetime to 14 days in krb5.conf
> > [realm] but it caps out to one day
>
> First, assuming you're talking about the "ticket_lifetime" parameter,
> that actually goes in the [libdefaults] stanza. You can also specify the
> lifetime parameter on the command line to kinit using the "-l" option
> and that might be the most useful to start out during testing.
>
> Where you're probably running into issues is that the ticket lifetime
> is the MINIMUM of: the requested lifetime (via the -l option or the
> ticket_lifetime parameter), the maximum lifetime set on the client
> principal, and the maximum lifetime set on the service principal. So
> you need to modify the maximum lifetime on all of your clients AND
> all of your services. You can do this with the "modprinc -maxlife"
> command inside of kadmin. To even test this out with one user you'd
> need to change that user's maximum lifetime AND the lifetime of the TGS
> principal (krbtgt/REALM@REALM).
>
> > - How do we extend renewable ticket lifetime to 30 days?
> > - We set the variable to 30 days but it only caps out to 14 days.
>
> See above, the same rules apply (with the exception that you're use
> the "-maxrenewlife" option to modprinc).
>
> > - Kinit would sometimes give us an expiration date from the past
>
> That maybe sounds like a clock synchronization problem? If you could
> give us details there, might be helpful.
>
> > - Kinit needs to be done on every single node you want to use. If, no
> > kinit then no access to NFS home directory.
>
> Normally this is done at login time automatically, and when you log into
> a remote system Kerberos tickets are forwarded.
>
> If you are using a batch processing system then that is trickier; there
> are some tricks there, but none of them are great if you don't have
> a Kerberos aware queueing system.
>
> --Ken
>

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor