Compared to the past, the access methods to “home” directories and possibly other shared resources on Linux workstations have changed.
These changes will not affect other IT services (email, web, Windows access, etc.).
To increase the level of security when accessing files, the already existing protocols have been integrated: the file sharing protocol (NFS) and the authentication protocol (Kerberos V). Like this, only users with valid credentials can access the files, obviously by specifying their password.
How does the Kerberos protocol work?
Each DEI user has credentials that are stored in the Kerberos database (i.e., their password).
Some services require valid credentials to be used: logging into a Linux workstation, accessing files via NFS, etc.
When logging in, for example, by entering the password, the user obtains what's called a “ticket”, which is a credential that is typically valid for 24 hours.
Using this ticket, for as long as it is valid, the user can access other services that require such credentials without needing to re-enter the password.
One benefit of the Kerberos protocol is that the password is never transmitted “in clear text” over the network.
Once the ticket expires, the services become unavailable. The ticket can be renewed without retyping the password, for up to 14 days, to allow for long-running simulations, for example.
Please note that files and directories must still be properly protected from unauthorized access using the chmod command.
Below are some typical situations and related commands:
Graphical login on a Linux workstation within the DEI domain
Once logged in, a valid ticket is automatically created.
Issue: If the session remains open for more than a day, the ticket expires and access to the home directory is lost.
Solution: In a terminal, run the command kinit and enter your password, or activate a graphical program like krb5-auth-dialog, which will automatically appear in the session when the ticket expires.
Remote SSH login via terminal to a Linux workstation in the DEI domain
Once connected, a valid ticket is automatically created.
Issue: If the session remains open for more than a day, the ticket expires and access to the home directory is lost.
Solution: In the remote terminal, run the command kinit and enter your password.
Running a simulation that needs to last several days
From an authenticated session, run the following command:
kinit -r 14d
This requests a renewable ticket valid for 14 days.
Then, launch a program that automatically renews the ticket:
krenew -K NumberOfMinutes -b
where NumberOfMinutes is how often the ticket should be renewed automatically (for example, specify 240 minutes to renew every 4 hours).
Running a long simulation on a batch server (e.g., svrfirb.dei.unipd.it)
The instructions are the same as before, but in this type of server, the simulation may run on a different machine than the one it was launched from (master node). From an authenticated session, run the following commands:
kinit -r 14d -c ~/.ticket export KRB5CCNAME=~/.ticket krenew -k ~/.ticket -K NumberOfMinutes -b
For convenience, you can create a script like this:
#!/bin/bash krenew -k ~/.ticket -K NumberOfMinutes -b export KRB5CCNAME=~/.ticket "simulation command"
and launch it using bsub.
