Authenticate using keytab¶
Problem: when a connection to one of the central storages (Netapp NAS-head) is secured with krb5 security a valid ticket is needed to access this storage. This ticket can be obtained by filling in a NetID password. The ticket is valid for only 10 hours. Jobs running for a longer period might experience problems with accessing these storages as the ticket expires.
This can be circumvent by using a keytab file to get the tickets and refreshing these tickets with this keytab file every hour or so.
Warning
A keytab file is an encrypted file containing the encrypted version of your NetID password. Therefor the file must be well protected for misusage by others as it enables complete access to your homedirectory and central storages. If your keytab file is compromised change your password immediately!
With the following instructions you can create a keytab file (make sure to delete en existing keytab file, otherwise new entries will be appended rm -f <homedirectory>/keytab1):
Note
replace <NetID> with your NetID and <homedirectory> with your home-directory or other location where you would like to store your keytab file
$ ktutil
addent -password -p <NetID>@TUDELFT.NET -k 1 -e rc4-hmac
addent -password -p <NetID>@TUDELFT.NET -k 1 -e des-cbc-md5
addent -password -p <NetID>@TUDELFT.NET -k 1 -e des-cbc-crc
wkt <homedirectory>/keytab1
quit
Use the keytab file:
$ klist # check available tickets
$ kinit <NetID>@TUDELFT.NET -k -t <homedirectory>/keytab1
$ klist # recheck
Automatic refresh of tickets e.g. every hour (10 minutes past hour):
$ crontab -l | { cat; echo "10 * * * * /usr/bin/kinit <NetID>@TUDELFT.NET -k -t <homedirectory>/keytab1"; } | crontab -