SDS@hd/Access/Kerberos: Difference between revisions

From bwHPC Wiki
< SDS@hd‎ | Access
Jump to navigation Jump to search
No edit summary
m (2. to 3. level caption)
 
Line 1: Line 1:
== Kerberos environment for SDS@hd ==
=== Kerberos environment for SDS@hd ===


* For Kerberos authentication to work, a correctly synchronized system time must be set on each nfs client (e.g. via [https://linux.die.net/man/8/ntpdate ntpdate] ntp01.urz.uni-heidelberg.de or [https://chrony.tuxfamily.org chrony])
* For Kerberos authentication to work, a correctly synchronized system time must be set on each nfs client (e.g. via [https://linux.die.net/man/8/ntpdate ntpdate] ntp01.urz.uni-heidelberg.de or [https://chrony.tuxfamily.org chrony])

Latest revision as of 01:47, 29 November 2024

Kerberos environment for SDS@hd

  • For Kerberos authentication to work, a correctly synchronized system time must be set on each nfs client (e.g. via ntpdate ntp01.urz.uni-heidelberg.de or chrony)

The following parameters of kerberos tickets are set on server side:

  • max. Lifetime of a Serviceticket: 10 hours
  • max. Lifetime of a Userticket: 24 hours
  • max. Renewaltime for Usertickets: 10 days

The properties (e.g. lifetimes, encryption, ...) of the kerberos tickets can be changed on client site with different kinit parameters (see manpages of kinit) or via /etc/krb5.conf.

First you have to install kerberos packages in your system to provide a working kerberos environment. The exact names of the packages depending on you linux distribution (see examples below).

Example RedHat/CentOS

yum install krb5-workstation

Example debian/ubuntu

apt install krb5-user

On ubuntu server: nfs-kernel-server


After installing the packages you have to use the following kerberos parameters for connecting to SDS@hd:

  • Default Realm = BWSERVICES.UNI-HEIDELBERG.DE
  • KDC = bwservices.uni-heidelberg.de

So your kerberos configuration file (/etc/krb5.conf) should contain the following entries:

[libdefaults]
     default_realm = BWSERVICES.UNI-HEIDELBERG.DE

     [realms]
     BWSERVICES.UNI-HEIDELBERG.DE= {
          kdc = bwservices.uni-heidelberg.de
          admin_server = bwservices.uni-heidelberg.de
      }
      [domain_realm]
         .uni-heidelberg.de = BWSERVICES.UNI-HEIDELBERG.DE
         uni-heidelberg.de = BWSERVICES.UNI-HEIDELBERG.DE

The keytab file of the machine, which you get from the SDS@hd Team, has to be stored as /etc/krb5.keytab in the system.

Because of caching issue with the kerberos ticket cache, you have to disable gssproxy service:

systemctl stop gssproxy.service
systemctl mask gssproxy.service