When migrating from NIS to Kerberos+LDAP authentication, one critical pain point emerges with NFS-mounted home directories. Terminal server users often maintain suspended sessions or run background jobs for extended periods, leading to expired Kerberos tickets that break NFS access.
Our solution must address two scenarios:
- Regular renewal of existing tickets before expiration
- Complete re-authentication when renewal period exceeds maximum lifetime
The k5start utility provides an elegant solution. Here's a sample implementation:
# Install k5start on Debian/Ubuntu
sudo apt-get install kstart
# Basic usage example
k5start -f /path/to/keytab -U username -K 60 -l 10h -b /path/to/pidfile
Key parameters:
-K 60: Check every 60 minutes for renewal-l 10h: Ticket lifetime of 10 hours-b: Background operation with PID file
For system-wide deployment, create a systemd service:
[Unit]
Description=Kerberos Ticket Renewal for %i
After=network.target
[Service]
Type=forking
ExecStart=/usr/bin/k5start -f /etc/krb5.keytab -U %i -K 60 -l 10h -b /var/run/k5start.%i.pid
Restart=always
[Install]
WantedBy=multi-user.target
For users who may exceed maximum renewal periods:
#!/bin/bash
# Full re-authentication script
MAX_RENEW=7d
KRB5CCNAME=/tmp/krb5cc_$(id -u)
if ! klist -s; then
kinit -kt /etc/krb5.keytab -l $MAX_RENEW -r $MAX_RENEW username
fi
When implementing automatic renewal:
- Restrict keytab file permissions (0400)
- Use separate keytabs per service
- Monitor renewal logs for anomalies
For PAM-integrated solutions:
# /etc/pam.d/sshd
session optional pam_exec.so /usr/local/bin/krb-renew.sh
Sample renewal script:
#!/bin/bash
if [ "$PAM_TYPE" = "open_session" ]; then
k5start -f /etc/krb5.keytab -U $PAM_USER -K 60 -l 10h -b /var/run/krb5cc_$PAM_USER.pid
fi
When migrating from NIS to Kerberos+LDAP in terminal server environments, we face a unique challenge with long-running sessions. Users typically suspend sessions or run background jobs for extended periods, while NFS-mounted home directories require continuous Kerberos authentication.
The standard Kerberos ticket workflow has two critical parameters in krb5.conf:
[libdefaults]
ticket_lifetime = 24h
renew_lifetime = 7dThis configuration grants initial 24-hour validity with 7-day renewal capability, but we need to handle cases exceeding these limits.
The k5start utility provides robust ticket maintenance. Here's a systemd service configuration for persistent renewal:
[Unit]
Description=Kerberos ticket renewal for %i
After=network.target
[Service]
Type=simple
User=%i
ExecStart=/usr/bin/k5start -f /etc/krb5.keytab -U -o %i -l 10h -r 1h -K 10 -b
[Install]
WantedBy=multi-user.targetKey parameters:
- -l 10h: Renew ticket 10 hours before expiration
- -r 1h: Retry every hour if renewal fails
- -K 10: Maximum renewal attempts
For users traveling with long-running jobs, implement a credential cache watcher:
#!/bin/bash
while true; do
if ! klist -s; then
kinit -kt /etc/krb5.keytab $(hostname -s)/$(hostname -d)
fi
sleep 3600
doneEnsure proper NFS mount options in /etc/fstab:
fileserver:/home /home nfs4 sec=krb5i,rw,hard,intr,noatime 0 0This configuration enforces Kerberos integrity protection while maintaining compatibility with ticket renewal.
Implement a monitoring script to detect expiring tickets:
#!/usr/bin/python3
import subprocess
import re
def check_tickets():
output = subprocess.check_output(['klist', '-l']).decode()
for line in output.split('\n'):
if match := re.search(r'(\S+)\s+(\d+)h(\d+)m(\d+)s', line):
principal, hours = match.group(1), int(match.group(2))
if hours < 2:
send_alert(principal)
def send_alert(principal):
# Implement your alerting logic here
passWhen implementing automatic renewal:
1. Use service principals with minimal privileges
2. Store keytabs with strict permissions (600)
3. Implement proper logging of renewal attempts
4. Set reasonable renewal limits to prevent indefinite access