[14548] in Kerberos
Re: addprinc -maxlife maxtixlife (?!)
daemon@ATHENA.MIT.EDU (Turbo Fredriksson)
Fri Jun 8 04:51:58 2001
To: kerberos@MIT.EDU
From: Turbo Fredriksson <turbo@bayour.com>
Date: 08 Jun 2001 10:49:20 +0200
In-Reply-To: Wyllys Ingersoll's message of "Thu, 7 Jun 2001 10:44:45 -0400 (EDT)"
Message-ID: <87pucfgxv3.fsf@papadoc.bayour.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
>>>>> "Wyllys" == Wyllys Ingersoll <Wyllys.Ingersoll@eng.sun.com> writes:
Wyllys> Try: -maxlife "12 hours" or -maxlife "90 days"
Weird, I thought I tested that... Ah, well. This works, thanx.
Now, another question, of a more philosophical nature.
I have here a OpenLDAP server which should do some replication to another
OpenLDAP server (the slave running on another port @ localhost). To make
sure that authentication is done correctly, i have a 'replicator' principal,
with a keytab (/etc/krb5.keytab.slurpd). Getting a ticket automaticly before
starting slurpd, is done by issuing the command:
export KRB5CCNAME=FILE:/var/run/slapd.krbenv
kinit -k -t /etc/krb5.keytab.slurpd replicator@BAYOUR.COM
Since the replicator should be running 24Hours/7Days a week (preferably
NEVER being shutdown, but .. :). So the question is, the 'replicator'
principal, how long should I let the ticket live (-maxlife) and how
long should I allow it to be renewable (-maxrenewlife)? And how often
should I renew the ticket from a cronscript?
Currently the ticket lives for 9 hours, and I have the following line
in my /etc/crontab file.
KRB5CCNAME=FILE:/var/run/slapd.krbenv
0 */9 * * * root test -e /var/run/slapd.krbenv && kinit -k -t /etc/krb5.keytab.slurpd replicator@BAYOUR.COM
But is there a better way to do it?
--
Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just
^^^^^ / /(_)_ __ _ ___ __ selective about who its friends are
/ / | | '_ \| | | \ \/ / Debian Certified Linux Developer
_ /// / /__| | | | | |_| |> < Turbo Fredriksson turbo@tripnet.se
\\\/ \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden
munitions [Hello to all my fans in domestic surveillance] Saddam
Hussein domestic disruption Kennedy pits Delta Force president South
Africa assassination Legion of Doom colonel BATF bomb tritium
[See http://www.aclu.org/echelonwatch/index.html for more about this]
