Hi Ken, Thank you so much for the fast reply! I will try my best to get through the tips you've given me and hopefully I fix something.
1. For the kinit -l and -r, I will get started on changing everything to be the same thing. When I finish, I will email back to you if I was successful and if not I will send screenshots of the configs. 2. For the time problem, I just finished syncing all the machines to one local NTP Server. I am using chronyd and we are running Rocky Linux 8. Hopefully that fixes that problem. 3. Yes, we unfortunately are using a scheduler and its SLURM. Would this question now go to SLURM Developers or still to Kerberos or both? Best, John On Thu, Dec 7, 2023 at 4:43 PM Ken Hornstein <k...@cmf.nrl.navy.mil> wrote: > > - How do we extend ticket lifetime to 14 days? > > - We have tried to set the ticket lifetime to 14 days in krb5.conf > > [realm] but it caps out to one day > > First, assuming you're talking about the "ticket_lifetime" parameter, > that actually goes in the [libdefaults] stanza. You can also specify the > lifetime parameter on the command line to kinit using the "-l" option > and that might be the most useful to start out during testing. > > Where you're probably running into issues is that the ticket lifetime > is the MINIMUM of: the requested lifetime (via the -l option or the > ticket_lifetime parameter), the maximum lifetime set on the client > principal, and the maximum lifetime set on the service principal. So > you need to modify the maximum lifetime on all of your clients AND > all of your services. You can do this with the "modprinc -maxlife" > command inside of kadmin. To even test this out with one user you'd > need to change that user's maximum lifetime AND the lifetime of the TGS > principal (krbtgt/REALM@REALM). > > > - How do we extend renewable ticket lifetime to 30 days? > > - We set the variable to 30 days but it only caps out to 14 days. > > See above, the same rules apply (with the exception that you're use > the "-maxrenewlife" option to modprinc). > > > - Kinit would sometimes give us an expiration date from the past > > That maybe sounds like a clock synchronization problem? If you could > give us details there, might be helpful. > > > - Kinit needs to be done on every single node you want to use. If, no > > kinit then no access to NFS home directory. > > Normally this is done at login time automatically, and when you log into > a remote system Kerberos tickets are forwarded. > > If you are using a batch processing system then that is trickier; there > are some tricks there, but none of them are great if you don't have > a Kerberos aware queueing system. > > --Ken > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos