Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

how to get TGT credentials for a group of machines at once

0 views
Skip to first unread message

Peter Ziobrzynski

unread,
Nov 20, 1996, 3:00:00 AM11/20/96
to

I have just configured kerberos on all my machines and now I am trying
to organize my desktop. Usually I am logged in to a set of machines
by openning xterm windows on my workstation and running kerberos
rsh in them.
When I open the first xterm on my local machine I run kinit and get
the TGT for this machine.
Now I open windows to each machine in my workgroup and to be able to
do things like rcp to other machines I have to run kinit and type my
password once for every new machine in my workgroup.
This is done once only per day but it would be nice to have my TGTs
grabbed for all machines in my workgroup right there when I login to my
workstation.
It would be even better if I got the TGTs for all the hosts in the
kerberos realm that I belong to.

Is there an easy way to do it?

cheers - Peter
--
Peter Ziobrzynski, netMedia Technology Inc. <p...@netmediatech.com>
204 Richmond St. #300, Toronto Ontario, Canada, M5V-1V6
tel.(416) 596-8520x242, fax.(416) 596-8610

Ken Hornstein

unread,
Nov 20, 1996, 3:00:00 AM11/20/96
to

>[...]

>Now I open windows to each machine in my workgroup and to be able to
>do things like rcp to other machines I have to run kinit and type my
>password once for every new machine in my workgroup.
>This is done once only per day but it would be nice to have my TGTs
>grabbed for all machines in my workgroup right there when I login to my
>workstation.

If you're using Kerberos 5 (you don't say, but I saw in another note
that you said that you are ...) then check out "forwardable" tickets
(kinit -f/rlogin -f/telnet -f). Login is busted in beta 7 w.r.t.
forwardable tickets, but a patch is available from the mailing list
archives.

--Ken

Marc Horowitz

unread,
Nov 20, 1996, 3:00:00 AM11/20/96
to

Peter Ziobrzynski <p...@netmediatech.com> writes:

>> Now I open windows to each machine in my workgroup and to be able to
>> do things like rcp to other machines I have to run kinit and type my
>> password once for every new machine in my workgroup.
>> This is done once only per day but it would be nice to have my TGTs
>> grabbed for all machines in my workgroup right there when I login to my
>> workstation.

>> It would be even better if I got the TGTs for all the hosts in the
>> kerberos realm that I belong to.
>>
>> Is there an easy way to do it?

Assuming you are using kerberized telnet or rlogin to these hosts, you
can just use forwarded credentials. Look up the -f flag to telnet and
rlogin.

Marc


Peter Ziobrzynski

unread,
Nov 21, 1996, 3:00:00 AM11/21/96
to

Is the -f working in beta7? I tried it the following way to no avail.
I am getting my TGT on machine called 'net' and then rlogin to 'tech':
On machine net:

net% kinit -f
net% klist -f
net% rlogin tech -F
tech%

now after login to tech I try to list the credentials:

tech% klist
klist: No credentials cache file found while setting cache flags
(ticket cache /tmp/krb5cc_p7935)

I speculated now that the credentials are saved somewhere else and tried
to rlogin back to original machine:

tech% rlogin net
rlogin: kcmd to host net failed - No credentials cache file found
trying normal rlogin (/usr/bin/rlogin)

Am I dense or it does not work?

Marc Horowitz

unread,
Nov 21, 1996, 3:00:00 AM11/21/96
to

Peter Ziobrzynski <p...@netmediatech.com> writes:

>> now after login to tech I try to list the credentials:
>>
>> tech% klist
>> klist: No credentials cache file found while setting cache flags
>> (ticket cache /tmp/krb5cc_p7935)
>>
>> I speculated now that the credentials are saved somewhere else and tried
>> to rlogin back to original machine:

I suspect you speculated correctly, but didn't test your hypothesis
right. rlogin will look in the same place klist will; if one can't
find your ccache, the other can't either.

ls /tmp, and see if there's a fresh ccache there. If so, there's a
bug in your login path which is causing the KRB5CCNAME not to be set
properly.

Marc

Peter Ziobrzynski

unread,
Nov 22, 1996, 3:00:00 AM11/22/96
to

Marc Horowitz wrote:
>
> Peter Ziobrzynski <p...@netmediatech.com> writes:
>
> >> now after login to tech I try to list the credentials:
> >>
> >> tech% klist
> >> klist: No credentials cache file found while setting cache flags
> >> (ticket cache /tmp/krb5cc_p7935)
> >>
> >> I speculated now that the credentials are saved somewhere else and tried
> >> to rlogin back to original machine:
>
> I suspect you speculated correctly, but didn't test your hypothesis
> right. rlogin will look in the same place klist will; if one can't
> find your ccache, the other can't either.
>
> ls /tmp, and see if there's a fresh ccache there. If so, there's a

This was the first thing I have done - no new files in /tmp.
(I actually run 'xtail /tmp' to monitor all changes to the directory.)

> bug in your login path which is causing the KRB5CCNAME not to be set
> properly.

When I use 'rlogin -F' the KRB5CCNAME variable is set on the remote
machine session to 'FILE:/tmp/krb5cc_p7935'. It looks ok to me.

Are you saying that my login command path may affect the cache file
writing?

>
> Marc

thanks for responding
cheers - Peter

Peter Ziobrzynski

unread,
Nov 22, 1996, 3:00:00 AM11/22/96
to

Ken Hornstein wrote:
>
> >Is the -f working in beta7? I tried it the following way to no avail.
> >I am getting my TGT on machine called 'net' and then rlogin to 'tech':
>
> It's not you.
>
> There's a bug in login.krb5. Check the mailing list archives for a patch.
>
> --Ken

Thank you man. You saved me a lot of time.

0 new messages