kinit

Posted on | In

Credential ticket for principles without need to type in password, from MIT Kerberos.
A ticket has ticket lifetime and renewable lifetime.
Ticket lifetime is shorter than renewable lifetime.
For liniu@ANT.AMAZON.COM, the default ticket lifetime is 10h (resp., 6h40m) when using kinit -l (resp., -r), why?

From KDC server side:

  1. modify the max_life in /etc/krb5kdc/kdc.conf and restart the KDC daemon /var/kerberos/krb5kdc/kdc.conf
  2. Via “kadmin”, changed the “maxlife” for a test principal via “modprinc -maxlife 14hours “

From Kerberos client side:
modify in /etc/krb5.conf

In fact, the ticket lifetime is the minimum of the following values:

  • max_life in kdc.conf on the KDC servers.

  • ticket_lifetime in krb5.conf on the client machine.

  • maxlife for the user principal.

  • maxlife for the service principal “krbtgt/[REALM_in_CAPS]”

  • requested lifetime in the ticket request. For example: kinit -l 14h

  • maxlife for the AFS service principal “afs/[realm_in_lower_case]”, if you want to increase the lifetime of your AFS token.

commonly used commands:

1
2
klist
kdestroy

An example:

Ticket cache: FILE:/tmp/krb5cc_4126574_GM19Ct
Default principal: liniu@ANT.AMAZON.COM

Valid starting Expires Service principal
08/18/16 08:13:20 08/18/16 18:13:20 krbtgt/ANT.AMAZON.COM@ANT.AMAZON.COM

time format is like 4d5h30m

1
2
3
4
5
6
kinit -l lifetime //request a ticket with ticket lifetime of lifetime
-r renewable-life //request renewable ticket with a total lifetime of renewable-life
//I'm still unclear about the difference between -l and -r
-f //forwardable
-F //non-forwardable
-R //requests renewal of the ticket-granting ticket. No need for password but must be within ticket lifetime instead of renewable lifetime.

Automatically renew tickets: Since you need to renew a ticket before its ticket lifetime expires, the easiest way to renew tickets is to put it in a cron job since renewing a ticket is non-interactive.

Run ‘crontab -e’ to edit the file in /var/spool/cron/. Use ‘crontab -l’ to see the file.

1
2
3
4
5
6
7
8
9
# Renew the kerberos ticket every 8 hours, this will extend the lifetime of 
# the ticket until the renew lifetime expiers, after that this command will 
# fail to renew the ticket and you will need to interactively 
# run `kinit -f -l 86400 -r 2592000`
#
# minute  hour  day_of_month  month  weekday  command
59 00,08,16 * * * /usr/kerberos/bin/kinit -R
//59 minute, 0 or 8 or 16 o'clock, any, any, any, the command to be executed is '/usr/kerberos/bin/kinit -R'
//some short notations: 1-3 means 1,2,3; */15 means every 15

Key Notes:

  1. do not use sudo kinit

  2. when no credential ticket can be found, add -c $KRB5CCNAME, where KRB5CCNAME is the environment variable recording the path of credential ticket.