Single Sign On
In order to open up new technologies and to improve our user experience, we are moving to a Single Sign On (SSO) authentication system. Some of the benefits of this move are having one account for everything, better security, ability to use newer packages that could not speak with kaserver and better integrate our services with user accounts.
With this comes a new workflow. Click on the headers below to read more about this new workflow.
Configuration
Windows 7 and above
- Download our krb5.conf file.
- Download and install the OpenAFS Client. If you only belong to the cs.pitt.edu AFS cell, put cs.pitt.edu in as your default cell. Do not reboot if prompted to.
- If you downloaded krb5-win7.conf, rename it to krb5.conf. Copy the krb5.conf file to C:\ProgramData\Kerberos\krb5.conf replacing the default krb5.conf file. If you cannot see C:\ProgramData, enable "Show Hidden Files" in Windows Explorer. For information on how to enable "Show Hidden Files", please refer to Microsoft Support.
- Reboot your machine.
Mac 10.6 and above
- Download our krb5.conf file.
- Download and install Auristor. If you only belong to the cs.pitt.edu AFS cell, put cs.pitt.edu in as your default cell.
- If this is your only Kerberos 5 realm, move and rename the krb5.conf file to /Library/Preferences/edu.mit.Kerberos. Otherwise, add the UNIV.PITT.EDU realm definition and domain_realm definitions in the downloaded krb5.conf file to your /Library/Preferences/edu.mit.Kerberos file.
Linux
- Please refer to your distribution's documentation for installing Kerberos 5 and OpenAFS. You need OpenAFS 1.6.5 or above. If you only belong to the cs.pitt.edu AFS cell, set your default cell to cs.pitt.edu.
- Download our krb5.conf file.
- If this is your only Kerberos 5 realm, drop the krb5.conf file into /etc. Otherwise, add the UNIV.PITT.EDU realm definition and domain_realm definitions in the downloaded krb5.conf file to your /etc/krb5.conf file. Please check your distribution's documentation to ensure that there is no special way to add a realm.
Usage
You do things a littly differently in this new environment. Below are some common use cases. As a note, all of these are done either in the Window's Command Prompt or in a Mac/Linux terminal app.
Get AFS tokens
We used to use klog
to get our AFS tokens. In this new environment, we not only need to get our AFS tokens, we also need to get a Kerberos 5 ticket.
Your Kerberos 5 ticket is what is used to get your AFS tokens. In order to get our Kerberos 5 tickets, do kinit <username>
if you only have one realm or have set UNIV.PITT.EDU to your default realm, otherwise do kinit <username>@UNIV.PITT.EDU
.
Now to get your afs tokens, simply run aklog
. You will not be asked for a password here because your Kerberos 5 ticket is proving that you are who you claim to be.
Check your tickets and tokens
To check your Kerberos 5 tickets (you will have two after doing aklog
), do klist
. Here you will see information about your tickets. What you need to pay attention to here is the "Expires" and "renew until" timestamps which I will talk about below.
To check your AFS tokens, just do tokens
like in our old environment.
Renewing your tickets and tokens
One of the benefits we gain by going with this new system is the ability to renew your tokens without a password. This is where those timestamps I mentioned above come in. The "Expires" timestamp is when your Kerberos 5 ticket will expire. If you allow your ticket to expire, you will need to get a new ticket as described above. However, if you renew your ticket before it expires, you will get a new ticket with a new expiration date. To renew your ticket, do kinit -R
. You can subsequently renew your AFS tokens by doing aklog
.
The "renew until" timestamp is when your ability to renew without a password runs out. After this time, you will have no choice but to get a new ticket as described above.
Destroying your tickets and tokens
At any point, you can destroy your AFS tokens with unlog
and your Kerberos 5 tickets with kdestroy
.
Changing your password
You can change your password by doing kpasswd
. You can only do this once per day.
Alternative to reauth
In the old environment, we had reauth to keep your tokens alive. In this new one, we have krenew
. Krenew will automatically renew your kerberos tickets and afs tokens until the renewal period expires, after which point, you will need obtain a new ticket with kinit
.
To use krenew
do krenew -b -t -K <minutes>
. The arguments mean the following: -b starts krenew in the background, -t renews the afs token and -K <minutes> is how often the kerberos ticket and tokens are renewed.
Troubleshooting
Cannot get a token on Windows / RPC Error / Clock Skew Error
Check the clock on your computer.
AFS relies upon the current time in order to function. One common AFS error is not having the clock on your computer set to the correct time and TIME ZONE.
In Pittsburgh, please make sure your timezone is set to "(UTC-05:00) Eastern Time (US & Canada)"
After changing the timezone and time to be correct, navigate to C:\Users\<your windows username>\AppData\Local\Temp and delete any krb5* files. Reboot your computer and try again.
Java JDK and Kerberos
The Java jdk comes with built in versions of the kerberos binaries. This can cause issues on some configurations.
If you are getting Java errors when you try a kerberos command, check your PATH environment variable. Ensure that wherever the MIT or Heimdal kerberos binaries are located is before Java. If not, please change your PATH environment variable so that kerberos appears before Java. Please refer to your operating systems documentation for how to do this.