LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   root kerberos ticket expires and causes issues at user logon (https://www.linuxquestions.org/questions/linux-server-73/root-kerberos-ticket-expires-and-causes-issues-at-user-logon-4175646644/)

QuantumSmeggingCheese 01-21-2019 09:14 AM
root kerberos ticket expires and causes issues at user logon
 
Hi all,

I have a number of Centos (6.x) servers running in a SLURM (current ver) cluster.
I have joined the centos boxes to an Windows domain via sssd and enabled AD logins and that all works great
Next i used the 'krb5' and 'multiuser' mount option to mount the users home dir on a remote (windows) file server. again, great.

The users folders get created at 1st logon, and the only persistent error is the .XAuthority file won't create 1st login, but does 2nd - i'm guessing something is happening in the wrong order. no big.

But. The Big issue, is that mount line is in fstab,
Hi, I have a number of Centos (6.x) servers running in a SLURM (current ver) cluster.
I have joined the centos boxes to an Windows domain via sssd and enabled AD logins and that all works great
Next i used the krb mount option to mount the users home dir on a remote (windows) file server. again, great.

The users folders get created at 1st logon, and the only persistent error is the .XAuthority file won't create 1st login, but does 2nd - i'm guessing something is happening in the wrong order.

But. The Big issue, is that mount line is in fstab, Hi, I have a number of Centos (6.x) servers running in a SLURM (current ver) cluster.
I have joined the centos boxes to an Windows domain via sssd and enabled AD logins and that all works great
Next i used the krb mount option to mount the users home dir on a remote (windows) file server. again, great.

The users folders get created at 1st logon, and the only persistent error is the .XAuthority file won't create 1st login, but does 2nd - i'm guessing something is happening in the wrong order.

But. The Big issue, is that mount line is in fstab,
Code:
\\FQDN\homes /mnt/homes  cifs multiuser,suid,rw,user,exec,sec=krb5,cluid=$USER 0 0
This works and the user has all the correct permissions, and the dir gets created etc. But.... Only if root's kerberos ticket is still valid.

I can 100% repeat this issue an if i hop on the box and su and kinit the ticket is created and users logon without error. if the ticket has expired, the process that creates the home folder, errors out. as it (presumably running as root) can't access the mount point.


The only think i can think of is some kind of self replenishing kerberos ticket, but that is clearly security madness?

Its taken a ton of googling to get it this far! but now the info has dried up and i'm now well up a certain creek!

Hopefully someone here has the words of wisdom google is hiding from me.

/dev/random 01-21-2019 11:51 PM
Why not just kinit in Cron for root? Just make sure no one can access the ticket.

QuantumSmeggingCheese 01-22-2019 05:56 AM
sorry if i'm missing the point here, but won't kinit wrapped in cron just renew not re-issue the ticked until its maximum renew-time has expired ie 7 days?
i'm not familiar with how i get root's password safely into a cron job, some sort of creds file presumably, thats why i was asking here!

TA

QuantumSmeggingCheese 01-23-2019 04:37 AM
*UPDATE*

This may well be not a problem after all...

I was simulating the windows {file}server using a virtualbox VM, which as it was running on my laptop, got turned off at the end of the day.....(where is the foot-in-mouth emoji on here??)

looks like it a case of "if the server is on, the ticket gets renewed" Doh.

Thanks to all that looked at this and thought about it.

Cheers.


All times are GMT -5. The time now is 01:55 AM.