[30988] in Kerberos
Re: Linux Daemons and Kerberos Tickets
daemon@ATHENA.MIT.EDU (Javier Palacios)
Thu Apr 9 04:06:24 2009
MIME-Version: 1.0
In-Reply-To: <e787829d-f367-49b9-a9ec-4513dfa6cd20@v23g2000pro.googlegroups.com>
Date: Thu, 9 Apr 2009 10:05:33 +0200
Message-ID: <a64bf030904090105m26cf77c8w7e607f83a47527bd@mail.gmail.com>
From: Javier Palacios <javiplx@gmail.com>
To: neelsmail@rediffmail.com
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Apr 7, 2009 at 3:10 PM, <neelsmail@rediffmail.com> wrote:
> Hi,
>
> I wanted to know whether there are any recommendations regarding
> following scenario:
>
> - In order to Linux daemons to be running in kerberos/Active Directory
> users' context, a (krbtgt) ticket is needed and is fetched by kinit.
> - But this ticket is usually valid for some time depending on user
> configuration and it needs to be renewed.
>
> Is there a recommended way of renewing/getting new ticket for the
> user?
>
> One of the ways suggested to me was run kinit externally as cronjob
> for every user you want every n hours. But that seems dangerous to me.
If you mean a daemon which requires kerberos authentication (for
example sshd or httpd) you don't need to kinit anything but use a
keytab, that is read when required.
If you mean a daemon which acts as a client, then you need a TGT for
that user/daemon, and either you code the kinit stuff whithin, or you
use kinit from an external cron. I don't see any other alternatives.
Javier Palacios
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
