Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

University's Cubbli Linuxes use the same authentication mechanism as University's Windows machines. They authenticate and get their user accounts and groups from University's Active Directory (AD) domain, which uses a network protocol called Kerberos (Wikipedia link). Normally all this is configured to happen automatically and you don't need to worry about Kerberos or even know what it is. However, sometimes there are problems related to Kerberos and then the information provided in this page might be useful.

When you use your password to login to a Cubbli from the console, through ssh or just open a locked screen, you get a kerberos ticket, which is a secret random number, which can be used to authenticate against other services in the University's network without typing your password again. This provides the single sign on capabilities at the University.

...

A very common problem when using a kerberos ticket is that is the ticket has expired or that there isn't one. This will prevent Cubbli Linux from accessing any service requiring kerberos tickets including but not limited to those listed above. See common problems.

...

$ klist
Ticket cache: FILE:/tmp/krb5cc_1033431_JVldy8
Default principal: jjaakkol@AD.HELSINKI.FI

Valid starting     Expires            Service principal
13/07/18 12:05:16  13/07/18 22:05:16  krbtgt/AD.HELSINKI.FI@AD.HELSINKI.FI
    renew until 14/07/18 12:05:14
13/07/18 12:06:47  13/07/18 22:05:16  nfs/nas-fs.cs.helsinki.fi@AD.HELSINKI.FI
    renew until 14/07/18 12:05:14
13/07/18 12:07:03  13/07/18 22:05:16  cifs/home3.ad.helsinki.fi@AD.HELSINKI.FI
    renew until 14/07/18 12:05:14
13/07/18 12:07:51  13/07/18 22:05:16  host/melkki.cs.helsinki.fi@AD.HELSINKI.FI
    renew until 14/07/18 12:05:14
13/07/18 12:08:07  13/07/18 22:05:16  cifs/valkokuusi1.ad.helsinki.fi@AD.HELSINKI.FI

...


Tickets have a limited lifetime after which they cannot be used any more.  There are two different lifetimes:

...

Anchor
Common problems
Common problems
Common problems

Expired or missing ticket

Most common problem is that the kerberos ticket has become expired or is missing. When the ticket has expired and you try to access files on a network file share you get the error message 'Key has expired'.  This can be fixed by getting a new ticket:

jjaakkol@melkinkari:~$ cat hello.txt
cat: hello.txt: Key has expired
jjaakkol@melkinkari:~$ kinit
Password for jjaakkol@AD.HELSINKI.FI:
jjaakkol@melkinkari:~$ cat hello.txt
Hello!

Using ssh client from University AD Windows (like putty)

Another common problem happens when a ssh client uses kerberos to login to a ssh server, but does not delegate kerberos tickets to the server. This commonly happens when using Putty ssh client in the University's AD Windows environment, where kerberos authentication is available, but delegation is not. This too can be fixed by getting a new ticket:


Last login: Wed Jun 6 11:38:18 2018 from 128.214.138.171
Could not chdir to home directory /home/jjaakkol: Permission denied
realpath: /home/jjaakkol: Permission denied
-bash: /home/jjaakkol/.bash_profile: Permission denied
jjaakkol@tktl-pangolin:/$ kinit
Password for jjaakkol@AD.HELSINKI.FI:
jjaakkol@tktl-pangolin:/$ cd
jjaakkol@tktl-pangolin:~$

Classroom host allows login, but home directories are not visible

It is possible to login to a host with cached login credentials, but not get a kerberos ticket because of network problems and then home directories will not be visible. If this happens with a classroom host, you should check that the host is actually connected to the network and then restart it if possible.