Hi there. I have a RHEL5 machine that I want to use Kerberos tickets to access cifs shares on my AD domain. I want this ticket to be valid all the time (and thus able to mount using it any time) so that I don't have to go back to the old way of passing usernames and passwords on the command line or in a file. Here's what I do: # kinit linuxserviceaccount # mount.cifs //shares.domain.com/siv 1 -o fstype=cifs,sec=krb5
# klist -5 Ticket cache: FILE:/tmp/krb5cc_0 Default principal: linuxserviceaccount @DOMAIN.COM Valid starting Expires Service principal 01/28/11 15:46:44 01/29/11 01:46:52 krbtgt/[email protected] renew until 01/29/11 01:46:44 01/28/11 15:46:56 01/29/11 01:46:52 cifs/[email protected] renew until 01/29/11 01:46:44 This works great, however, eventually (24 hours) the ticket expires: mount error(126): Required key not available I've tried a crontab like the following attempting to renew it every 6 hours, but that doesn't seem to do much: 0 */6 * * * /usr/kerberos/bin/kinit -R There are other options that look promising for kinit like lifetime and renewable_life Finally, I dug into the Group Policy for the domain, and discovered the following: Account Policies/Kerberos Policy Enforce user logon restrictions Enabled Maximum lifetime for service ticket 600 minutes Maximum lifetime for user ticket 10 hours Maximum lifetime for user ticket renewal 7 days Maximum tolerance for computer clock synchronization 5 minutes Do I need to change any of these in order in order to do what I want to do? Lastly, can I do that just my service account or do I have to change the entire domain policy? Thanks for the use of your eyeballs! Joel. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
