It's possible to generate a kerberos ticket for example in a batch job, and generate an afs-token subsequently without specifying a password during the procedure.
# You first need to create a personal keytab. Whoever has access can generate a kerberos-ticket on your behalf so KEEP IT SAFE. # For example mkdir -p $HOME/.ssh chmod 700 $HOME/.ssh # create a keytab. # Everytime you change your DESY password, this step has to be repeated. cd $HOME/.ssh /usr/bin/ktutil ktutil: addent -password -p your-username@DESY.DE -k 1 -e aes256-cts Password for username@DESY.DE: [enter your password] ktutil: wkt keytab ktutil: quit # KEEP IT SAVE chmod 600 $HOME/.ssh/keytab # try it out [someone@node ~]$ klist klist: No credentials cache found (filename: ) [someone@node ~]$ tokens Tokens held by the Cache Manager: --End of list-- [someone@node ~]$ kinit -f someone@DESY.DE -k -t $HOME/.ssh/keytab -c $HOME/.ssh/someone.cc [someone@node ~]$ KRB5CCNAME=FILE:$HOME/.ssh/someone.cc [someone@node ~]$ klist Ticket cache: FILE:/home/someone/.ssh/someone.cc Default principal: someone@DESY.DE Valid starting Expires Service principal 12/09/2019 20:28:05 12/10/2019 20:28:05 krbtgt/DESY.DE@DESY.DE renew until 12/11/2019 20:28:05 12/09/2019 20:28:05 12/10/2019 20:28:05 afs/desy.de@DESY.DE renew until 12/11/2019 20:28:05 [someone@node ~]$ aklog [someone@node ~]$ tokens Tokens held by the Cache Manager: User's (AFS ID 1234) tokens for afs@desy.de [Expires Dec 10 20:28] --End of list--
It works pretty much the same way for window credentials:
# You first need to create a personal keytab. Whoever has access can generate a kerberos-ticket on your behalf so keep it save. # cd $HOME/.ssh /usr/bin/ktutil ktutil: addent -password -p your-username@WIN.DESY.DE -k 1 -e aes256-cts Password for username@WIN.DESY.DE: [enter your password] ktutil: wkt windows.keytab ktutil: quit # try it out [someone@node ~]$ klist klist: No credentials cache found (filename: ) [someone@node ~]$ /usr/bin/kinit -f someone@WIN.DESY.DE -k -t $HOME/.ssh/windows.keytab -c $HOME/.ssh/someone.cc [someone@node ~]$ KRB5CCNAME=FILE:$HOME/.ssh/someone.cc [someone@node ~]$ klist Ticket cache: FILE:/afs/desy.de/user/s/someone/.ssh/someone.cc Default principal: someone@WIN.DESY.DE # ticket can be used to authenticate for smbclient [someone@node ~]$ smbclient //ntapwin1.desy.de/someone$ -k smb: \> ls [...] # works! smb: \> quit # unfortunately currently doesn't work for smb-mounts with gio/gvfs ...
Note: the keytab doesn't have an expiration date. However, it becomes invalid once you change your password, and needs to be recreated.
Note: on maxwell /software/tools/bin/gettoken will get a krb-ticket and token, if the keytab is stored as $HOME/.ssh/maxwell.keytab