Sds-hd kerberos: Difference between revisions
mNo edit summary |
|||
Line 43: | Line 43: | ||
The keytab file of the machine, which you get from the [mailto:sds-hd-support@urz.uni-heidelberg.de SDS@hd Team], has to be stored as ''/etc/krb5.keytab'' in the system. |
The keytab file of the machine, which you get from the [mailto:sds-hd-support@urz.uni-heidelberg.de SDS@hd Team], has to be stored as ''/etc/krb5.keytab'' in the system. |
||
Because of caching issue with the kerberos ticket cache, you have to disable gssproxy service: |
|||
<pre> |
|||
systemctl stop gssproxy.service |
|||
systemctl mask gssproxy.service |
|||
</pre> |
|||
[[Category:Sds-hd|NFS|Kerberos]] |
[[Category:Sds-hd|NFS|Kerberos]] |
Revision as of 20:34, 16 September 2020
kerberos environment for SDS@hd
- For Kerberos authentication to work, a correctly synchronized system time must be set on each nfs client (e.g. via ntpdate ntp01.urz.uni-heidelberg.de or chrony)
The following parameters of kerberos tickets are set on server side:
- max. Lifetime of a Serviceticket: 10 hours
- max. Lifetime of a Userticket: 24 hours
- max. Renewaltime for Usertickets: 10 days
The properties (e.g. lifetimes, encryption, ...) of the kerberos tickets can be changed on client site with different kinit parameters (see manpages of kinit) or via /etc/krb5.conf.
First you have to install kerberos packages in your system to provide a working kerberos environment. The exact names of the packages depending on you linux distribution (see examples below).
Example RedHat/CentOS
yum install krb5-workstation
Example debian/ubuntu
apt install krb5-user
On ubuntu server: nfs-kernel-server
After installing the packages you have to use the following kerberos parameters for connecting to SDS@hd:
- Default Realm = BWSERVICES.UNI-HEIDELBERG.DE
- KDC = bwservices.uni-heidelberg.de
So your kerberos configuration file (/etc/krb5.conf) should contain the following entries:
[libdefaults] default_realm = BWSERVICES.UNI-HEIDELBERG.DE [realms] BWSERVICES.UNI-HEIDELBERG.DE= { kdc = bwservices.uni-heidelberg.de admin_server = bwservices.uni-heidelberg.de } [domain_realm] .uni-heidelberg.de = BWSERVICES.UNI-HEIDELBERG.DE uni-heidelberg.de = BWSERVICES.UNI-HEIDELBERG.DE
The keytab file of the machine, which you get from the SDS@hd Team, has to be stored as /etc/krb5.keytab in the system.
Because of caching issue with the kerberos ticket cache, you have to disable gssproxy service:
systemctl stop gssproxy.service systemctl mask gssproxy.service