Skip to main content
To KTH's start page To KTH's start page

Accessing PDC systems from KTH Ubuntu

When accessing PDC systems, you need to use the special tools pdc-kinit, pdc-ssh, pdc-scp, etc.

Both PDC systems and KTH Ubuntu systems use Kerberos authentication, but are in different realms. Replacing the login session's credentials with PDC credentials will destroy the access to your AFS home directory, and crash applications or the entire login session.

Instead, start a terminal window and run

pdc-kinit

Note that you must use your PDC password (for the realm NADA.KTH.SE), not the KTH password (for the realm KTH.SE).

You can then use pdc-* to access PDC systems. PDC versions of most tools (kinit, klist, kdestroy, ssh, scp…) are available You can also use for example rsync with a command-line option:

rsync -av -e "pdc-ssh" /path/to/directory someloginnode.pdc.kth.se:/path/to/destination

See also information at PDC .

Alternatives

You can use kpagsh to set up a credentials sandbox (more below) with tickets to PDC's realm NADA.KTH.SE. But you will then need to run all commands in that terminal window.

Note that while you can use AFS rights and cross-realm authentication between the pdc.kth.se and kth.se AFS cells, this may change the UID on files in the home directory. This does not affect the actual access rights (set by AFS), but some applications may complain about UFS rights. In particular, Gnome and other desktop environments may crash, or show strange error messages.

Access from systems without centralized authentication

Laptops, self-managed workstations and other vanilla Linux/Unix systems usually have local home directories. There, you can use normal kinit to authenticate as either username@KTH.SE (to KTH systems) or username@NADA.KTH.SE (to PDC systems).

You can also set up credential sandboxes (Process Authentication Groups, PAGs), to simultaneously run sessions with both KTH- and PDC credentials. Heimdal Kerberos provides the kpagsh command:

First terminal

$ kpagsh
$ kinit -f alice@KTH.SE
$ klist -f
Credentials cache: FILE:/tmp/krb5cc_8LkMt2
        Principal: alice@KTH.SE
  Issued                Expires             Flags    Principal
Mar 16 10:42:11 2020  Mar 19 10:42:11 2020  FIA    krbtgt/KTH.SE@KTH.SE

$ ssh -K -o GSSAPIKeyExchange=yes alice@student-shell.sys.kth.se

alice@student-shell-1:~$ klist -f
Credentials cache: FILE:/tmp/krb5cc_5649738_kohVae2ZGh
        Principal: alice@KTH.SE
  Issued                Expires             Flags    Principal
Mar 16 10:42:21 2020  Mar 17 10:42:21 2020  FfA    krbtgt/KTH.SE@KTH.SE
Mar 16 10:42:21 2020  Mar 17 10:42:21 2020  FfA    afs/kth.se@KTH.SE

Second terminal

$ kpagsh
$ kinit -f alice@NADA.KTH.SE
$ klist -f
Credentials cache: FILE:/tmp/krb5cc_aiBei9
        Principal: alice@NADA.KTH.SE
  Issued                Expires             Flags    Principal
Mar 16 10:46:41 2020  Mar 17 10:46:41 2020  FIA    krbtgt/NADA.KTH.SE@NADA.KTH.SE

$ ssh -K -o GSSAPIKeyExchange=yes alice@tegner.pdc.kth.se

tegner-login-1$ module add heimdal
tegner-login-1$ klist -f
Credentials cache: FILE:/tmp/krb5cc_56406_Aa3xeeghP3
        Principal: alice@NADA.KTH.SE
  Issued                Expires             Flags    Principal
Mar 16 10:46:50 2020  Mar 17 10:46:58 2020  FfA    krbtgt/NADA.KTH.SE@NADA.KTH.SE
Mar 16 10:46:52 2020  Mar 17 10:46:58 2020  FfA    afs/pdc.kth.se@NADA.KTH.SE
Mar 16 10:46:52 2020  Mar 17 10:46:58 2020  FfA    afs@NADA.KTH.SE