KTH PDC [PDC - Center for Parallel Computers, KTH]
[Entrance to PDC]
[Information about PDC]
[News & Events]
[Computer resources]
*[User support]
[Training & Courses]
[Search the webmap]
[Links to far away]

Guided Tours: Kerberos5 (Heimdal), travelkit install

Contents


How to get the kerberos travelkit.

In order to access the computers at PDC in a secure way you have to install some variant of Kerberos binaries. This document assumes that you know a little about system administration and that you install these files to your home directory.

  1. Download the necessary package depending on your OS:

Install the necessary files:

  • Create a new directory called pdckrb in your home directory:
    prompt$ mkdir pdckrb && cd pdckrb
    
    or
    C:\> mkdir pdckrb
    C:\> cd pdckrb
    

    Put the files you download in this directory.

  • Install the files:
    prompt$ cat travelkit.tar.gz | gunzip | tar xf -
    
    or
    C:\> unzip travelkit.zip
    
  • Extra steps for Windows users and users which have a conflicting /etc/krb5.conf file on their system:

    • If you don't already have the folder /tmp or C:\tmp, you must create it. This is where the ticket files will be stored. Create a file named krb5.conf (use Notepad or editor of choice) in your install directory, for example C:\Heimdal\krb5.conf. It should have at least the following content:
      [domain_realm]
         .pdc.kth.se = NADA.KTH.SE
      
      [libdefaults]
         forwardable = yes
         default_realm = NADA.KTH.SE
      
      Then you use this alterative config file by setting
      setenv KRB5_CONFIG  ~/pdckerb/krb5.conf    # adjust location
      
      or
      
      C:\Heimdal>set KRB5_CONFIG=/Heimdal/krb5.conf
      

How to set up and use the kerberos travelkit

Use the kerberized telnet to access PDC:

Important note: for Kerberos to work it is necessary that the clocks on the involved machines are reasonably in sync (within a few minutes of each other). Otherwise you will get an "Time is out of bounds" error from kinit or kauth. We have collected some hints on synchronizing clocks for your perusal.

  • Get a ticket for PDC (write on one line):

    
    > ./kinit -f your-username-at-pdc@NADA.KTH.SE
          

    If you get an error here (a warning message that kinit/kauth is using port 750 is not an error), you have problems contacting our authentication server. There may be several reasons for that. Make sure your domain name service (DNS) is configured correctly.

    If you still can't get contact our authentication server, there may be a firewall between your and our machine. In that case read about firewall configuration below.

  • Log in to (for instance) blumino.pdc.kth.se:

    > ./rxtelnet -t -F -l your-username-at-pdc blumino.pdc.kth.se
    Note that the argument -l is the letter l, not the number 1.

    rxtelnet is a script using telnet and opens a terminal in its on window if you are using the X-windows system. If your computer does not have X11 installed, you may use ./telnet instead of ./rxtelnet. Naturally, you may not be able to open fancy X11 windows.

    The argument -t -F tells rxtelnet to pass the flag -F to telnet. This will forward your authorization to the host you telnet to. This results similar functionality as the -h hostname argument to kauth in Kerberos 4 in that you will end up with authentication tickets on the remote system.

    If you do not have a functional X environment. Text based login is achieved by:

    > ./telnet -F -l your-username-at-pdc blumino.pdc.kth.se
  • If you are not able to log in, please read about user support before sending a problem report.

  • Once you have logged in to (for instance) blumino.pdc.kth.se you can check that you have both Kerberos tickets and AFS tokens to be able to start parallel programs and access your files:

    pdc-cpu> klist

    pdc-cpu> tokens

  • Kerberos tickets and AFS tokens normally expire after 10 hours, if your job has not finished by then it won't be allowed to write to disk. It is possible to create tickets with longer lifetimes, like this :
    pdc-cpu> kinit -l lifetime-in-seconds
    pdc-cpu> kinit -l 12h   (12 hours)
          

    If the lifetime of the ticket is given as 1y then the ticket will get the maximum lifetime allowed (around one month).

  • When you log out it is good practice to destroy tickets and tokens by

    pdc-cpu> kdestroy


Some typical error messages you might get are

  • kinit: krb5_get_init_creds: Incorrect net address
    This is most likely caused by a NAT firewall (such as a wideband router used for most home connections).
    Remedy: Try the --no-addresses option to kinit or --extra-addresses=xyz.xyz.xyz.xyz with xyz replaced by the IP number of your external NAT interface. This page should give you the address of the external NAT interface in most (but not all) cases.
  • Kerberos V5: mk_req failed (Server not found in Kerberos database)
    This is most often caused by a malfunctioning name server (such as the ones provided by some home consumer ISPs)
    Remedy: You will need to add a file krb5.conf which contains a section [domain_realm] with the correct kerberos realm information and you will need to use an environment variable to tell Heimdal the name of your config file is (if it is not /etc/krb5.conf). The content in the config file should be:
    	[domain_realm]
    	  .nada.kth.se = NADA.KTH.SE
    	  .pdc.kth.se = NADA.KTH.SE
    
  • kinit: krb5_get_init_creds: unable to reach any KDC in realm NADA.KTH.SE
    If you get this error message you are most probably behind a firewall that blocks communication with our kerberos servers.
    Remedy:See the section Kerberos and Firewalls below.

Kerberos and Firewalls

When a firewall is installed between your workstation and the computers at PDC, the special configurations described below may be necessary to use Kerberos.

  1. Ports used by Kerberos Contact your system administrators and make sure that a firewall is really the problem. Kerberos uses in its standard configuration the following ports for communication:

    Port name Port number Port type Comment
    kerberos 88 UDP Default configuration
    kerberos 88 TCP Alternative configurations
    for usage with firewalls
    - see below
    http (used by kerberos) 80 TCP
    telnet 23 TCP Usual firewall configuration
    ftp-data 20 TCP
    ftp 21 TCP
    kx 2111 TCP Only necessary for encrypted X

    If possible, open UDP port 88 for bidirectional communication. This is the default (and preferred) mode of operation. Otherwise continue with the next step.

    After that, try to contact our authentication server with kinit as described before.

  2. If there is no contact through UDP port 88, open TCP port 88 for outgoing traffic instead (if possible), and try kinit again. If it still does not work, continue with the next step.
  3. The next thing to try is to get kerberos to communicate via http over TCP port 80. This port is often open, since it is needed for surfing the web.
    • Create the configuration file $HOME/pdckrb/travelkit/krb5.conf, with the following contents:
      [libdefaults]
              default_realm = NADA.KTH.SE
              forwardable = yes
      
      [realms]
      	NADA.KTH.SE = {
      		kdc = http/kerberos.pdc.kth.se
      	}
      
      [domain_realm]
              .pdc.kth.se = NADA.KTH.SE
    • Next, you need tell the programs where the configuration file is, by setting an environment variable.

      In tcsh/csh:

      > setenv KRB5_CONFIG $HOME/pdckrb/travelkit/krb5.conf
      In sh/ksh/bash:
      $ KRB5_CONFIG=$HOME/pdckrb/travelkit/krb5.conf
      $ export KRB5_CONFIG
    • In some systems, all http communication (i.e. web traffic) must go through a proxy. If that is the case, you can probably find out it's address by looking at the settings of your web browser. If not, ask your system administrator.

      To instruct kerberos to go through the proxy, add the following line to the [libdefaults] section of $HOME/pdckrb/travelkit/krb5.conf

      http_proxy = http://address.of.proxy:port
      
  4. If still is not working, it's time to report your problem to PDC staff

If the authentification with kinit/kauth was successful, your tickets show when you use the klist command.
$ ./klist
Credentials cache: FILE:/tmp/krb5cc_a_number
        Principal: your-name@NADA.KTH.SE

  Issued           Expires          Principal                   
Aug 28 13:04:41  Aug 28 23:04:41  krbtgt/NADA.KTH.SE@NADA.KTH.SE
Now you can try to contact PDCs computers with the telnet, ftp and rxtelnet commands. Often firewalls are configured to block rxtelnet. If you want to use the X protocol, ask your system administrator to open TCP port 2111 outgoing.

<-- back to guided tours