Difference between revisions of "Sds-hd kerberos"
m (→kerberos environment for SDS@hd) |
S Richling (talk | contribs) (Redirected page to SDS@hd) (Tag: New redirect) |
||
| Line 1: | Line 1: | ||
| + | #REDIRECT [[SDS@hd]] |
||
| − | == kerberos environment for SDS@hd == |
||
| − | |||
| − | |||
| − | * For Kerberos authentication to work, a correctly synchronized system time must be set on each nfs client (e.g. via [https://linux.die.net/man/8/ntpdate ntpdate] ntp01.urz.uni-heidelberg.de or [https://chrony.tuxfamily.org chrony]) |
||
| − | |||
| − | The following parameters of kerberos tickets are set on server side: |
||
| − | * max. Lifetime of a Serviceticket: 10 hours |
||
| − | * max. Lifetime of a Userticket: 24 hours |
||
| − | * max. Renewaltime for Usertickets: 10 days |
||
| − | |||
| − | The properties (e.g. lifetimes, encryption, ...) of the kerberos tickets can be changed on client site with different kinit parameters (see manpages of kinit) or via ''/etc/krb5.conf''. |
||
| − | |||
| − | First you have to install kerberos packages in your system to provide a working kerberos environment. The exact names of the packages depending on you linux distribution (see examples below). |
||
| − | |||
| − | ''Example RedHat/CentOS'' |
||
| − | <pre>yum install krb5-workstation</pre> |
||
| − | |||
| − | ''Example debian/ubuntu'' |
||
| − | <pre>apt install krb5-user</pre> |
||
| − | On ubuntu server: nfs-kernel-server |
||
| − | |||
| − | |||
| − | After installing the packages you have to use the following kerberos parameters for connecting to SDS@hd: |
||
| − | |||
| − | * Default Realm = BWSERVICES.UNI-HEIDELBERG.DE |
||
| − | * KDC = bwservices.uni-heidelberg.de |
||
| − | |||
| − | So your kerberos configuration file (/etc/krb5.conf) should contain the following entries: |
||
| − | <pre> |
||
| − | [libdefaults] |
||
| − | default_realm = BWSERVICES.UNI-HEIDELBERG.DE |
||
| − | |||
| − | [realms] |
||
| − | BWSERVICES.UNI-HEIDELBERG.DE= { |
||
| − | kdc = bwservices.uni-heidelberg.de |
||
| − | admin_server = bwservices.uni-heidelberg.de |
||
| − | } |
||
| − | [domain_realm] |
||
| − | .uni-heidelberg.de = BWSERVICES.UNI-HEIDELBERG.DE |
||
| − | uni-heidelberg.de = BWSERVICES.UNI-HEIDELBERG.DE |
||
| − | </pre> |
||
| − | |||
| − | The keytab file of the machine, which you get from the [mailto:sds-hd-support@urz.uni-heidelberg.de SDS@hd Team], has to be stored as ''/etc/krb5.keytab'' in the system. |
||
| − | |||
| − | Because of caching issue with the kerberos ticket cache, you have to disable gssproxy service: |
||
| − | <pre> |
||
| − | systemctl stop gssproxy.service |
||
| − | systemctl mask gssproxy.service |
||
| − | </pre> |
||
| − | [[Category:Sds-hd|NFS|Kerberos]] |
||
Latest revision as of 17:10, 19 August 2022
Redirect to:
