keeping krb5 tickets alive
November 27, 2024•238 words
excellent answer on SO https://serverfault.com/a/1127986
I think the k5start option might be easiest to use. I tested it as follows:
marmaduke@ub24:~$ df -h | grep ins
//insrv1.lnn.timone.univ-mrs.fr/data 65T 2.4T 62T 4% /mnt/data
marmaduke@ub24:~$ ls /mnt/data
ls: cannot access '/mnt/data': Permission denied
marmaduke@ub24:~$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_1640027617)
marmaduke@ub24:~$ k5start -f foo.keytab -U sh
Kerberos initialization for marmaduke@LNN.TIMONE.UNIV-MRS.FR
$ klist
Ticket cache: FILE:/tmp/krb5cc_1640027617_nqdSRW
Default principal: marmaduke@LNN.TIMONE.UNIV-MRS.FR
Valid starting Expires Service principal
11/26/2024 08:11:47 11/26/2024 18:11:47 krbtgt/LNN.TIMONE.UNIV-MRS.FR@LNN.TIMONE.UNIV-MRS.FR
$ ls /mnt/data
proj team user
$ exit
this is on a different server, but same setup: there's a folder /mnt/data that requires a ticket to access, and I don't want to renew the ticket manually. so I use a "keytab" file foo.keytabwhich stores the password chiffré and then start a command (here, just sh but could be long running python foobar.py) with k5start which runs the command and renews the ticket automatically using foo.keytab.
btw I suggest you run these commands inside a tmux window in case you lose your connection.
how to make the foo.keytab? using ktutil:
marmaduke@ub24:~$ ktutil
ktutil: addent -p marmaduke -k 1 -password -f foo.keytab
Password for marmaduke@LNN.TIMONE.UNIV-MRS.FR:
ktutil: write_kt
write_kt: must specify keytab to write
ktutil: write_kt foo.keytab
ktutil: quit
marmaduke@ub24:~$ ls -lh *.keytab
-rw------- 1 marmaduke domain users 92 Nov 26 08:03 foo.keytab
the resulting file has mode 600 so unreadable by anyone but the user who created it.