Initializing Your Kerberos Ticket

Initializing Your Kerberos Ticket2019-01-09T17:28:40+00:00

Initializing Your Kerberos Ticket

Whenever you log into a workstation that uses Kerberos authentication, you’ll automatically be issued a Kerberos ticket. You can see if you have a Kerberos ticket by running klist in a terminal. If you have a Kerberos ticket you’ll see something like:

 

Ticket cache: FILE:/tmp/krb5cc_9999_prBsnY
Default principal: user@CECS.PDX.EDU

Valid starting    Expires           Service principal
11/30/2018 18:46:18  12/01/2018 04:46:18 krbtgt/CECS.PDX.EDU@CECS.PDX.EDU
   renew until 12/07/2018 18:46:18
11/30/2018 18:49:30  12/01/2018 04:46:18 nfs/pearl.cat.pdx.edu@CECS.PDX.EDU
   renew until 12/07/2018 18:46:18
11/30/2018 18:53:47  12/01/2018 04:46:18 nfs/garnet.cat.pdx.edu@CECS.PDX.EDU
   renew until 12/07/2018 18:46:18

If you don’t have a kerberos ticket because you are logging into a computer that doesn’t use kerberos for authentication or because your Kerberos ticket has expired, you can manually initialize one by running kinit in a terminal. Kinit will prompt you for a password, which should be your regular Linux password.

It’s worth noting that whenever you log into a physical workstation with a password, you are issued a new kerberos ticket with a new expiry time and maximum renewal time. This means that if you have to unlock your workstation every day when you come in you will always have a valid kerberos ticket.

Initializing a Kerberos Ticket from Your Personal Computer

As long as you are connected to the MCECS OpenVPN, it should be possible for you to kinit from your own personal Linux computer. You’ll also need to make sure you have kinit installed (on ubuntu this is provided by the apt package krb5-user).

To initialize a Kerberos ticket as your MCECS user, you’ll need to run:

kinit mcecsuser@CECS.PDX.EDU

The @CECS.PDX.EDU part is the MCECS Kerberos realm name and needs to be spelled and capitalized exactly like that. You should be prompted for you password, and if entered correctly you should be issued a Kerberos ticket.

If you don’t like entering the Kerberos realm name every time you can make a kerberos config file for yourself at ~/.krb5.conf with the contents:

[libdefaults]
   default_realm = CECS.PDX.EDU
   kdc_timesync = 1m
   ccache_type = 4
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true
   proxiable = true