Initializing Your Kerberos Ticket
Whenever you log into a workstation that uses Kerberos authentication, you’ll automatically be issued a Kerberos ticket. You can see if you have a Kerberos ticket by running klist in a terminal. If you have a Kerberos ticket you’ll see something like:
Ticket cache: FILE:/tmp/krb5cc_9999_prBsnY Default principal: user@CECS.PDX.EDU Valid starting Expires Service principal 11/30/2018 18:46:18 12/01/2018 04:46:18 krbtgt/CECS.PDX.EDU@CECS.PDX.EDU renew until 12/07/2018 18:46:18 11/30/2018 18:49:30 12/01/2018 04:46:18 nfs/pearl.cat.pdx.edu@CECS.PDX.EDU renew until 12/07/2018 18:46:18 11/30/2018 18:53:47 12/01/2018 04:46:18 nfs/garnet.cat.pdx.edu@CECS.PDX.EDU renew until 12/07/2018 18:46:18
If you don’t have a kerberos ticket because you are logging into a computer that doesn’t use kerberos for authentication or because your Kerberos ticket has expired, you can manually initialize one by running kinit in a terminal. Kinit will prompt you for a password, which should be your regular Linux password.
It’s worth noting that whenever you log into a physical workstation with a password, you are issued a new kerberos ticket with a new expiry time and maximum renewal time. This means that if you have to unlock your workstation every day when you come in you will always have a valid kerberos ticket.
Initializing a Kerberos Ticket from Your Personal Computer
As long as you are connected to the MCECS OpenVPN, it should be possible for you to kinit from your own personal Linux computer. You’ll also need to make sure you have kinit installed (on ubuntu this is provided by the apt package krb5-user).
To initialize a Kerberos ticket as your MCECS user, you’ll need to run:
The @CECS.PDX.EDU part is the MCECS Kerberos realm name and needs to be spelled and capitalized exactly like that. You should be prompted for you password, and if entered correctly you should be issued a Kerberos ticket.
If you don’t like entering the Kerberos realm name every time you can make a kerberos config file for yourself at ~/.krb5.conf with the contents:
[libdefaults] default_realm = CECS.PDX.EDU kdc_timesync = 1m ccache_type = 4 ticket_lifetime = 24h renew_lifetime = 7d forwardable = true proxiable = true