[32639] in Kerberos
Re: ticket renew lifetime limited by Windows KDC policy
daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Sep 6 17:25:30 2010
From: Russ Allbery <rra@stanford.edu>
To: Di Pe <dipeit@gmail.com>
In-Reply-To: <AANLkTi=fq-HUdgD2hYA4Wz5fmrKfB-tcyMGWB4H01b+m@mail.gmail.com>
(Di Pe's message of "Mon, 6 Sep 2010 12:03:55 -0700")
Date: Mon, 06 Sep 2010 14:25:24 -0700
Message-ID: <87wrqy4la3.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Di Pe <dipeit@gmail.com> writes:
> This seems to be a good idea. I used
> export PROMPT_COMMAND="k5start -H 500"
> and it does what it's supposed to do.
> One issue tough: k5start seems to look at ticket_lifetime instead of
> renew_liefetime. ticket_lifetime is enforced to 10 hours by active
> directory. If I don't use a cron job to renew the ticket users would
> have to enter their credentials every few hours or so which is not
> good if they run jobs over night.
Yeah, you ideally want k5start to renew the ticket if it can, and if not,
prompt. That's something that k5start -H should probably just do by
default. It doesn't do that right now and it will require some coding.
I'll add it to the to-do list.
> Another problem we notice on our terminal server is that user sessions
> are completely locking up when a ticket expires on a nfs mounted home
> directory. It would be good if we had a cron job that forces a logout
> for users where the ticket is about to expire in 60 minutes or less. Is
> there a way to check for a happy ticket in a shell script without
> getting a prompt if the ticket is not happy?
Also a good idea. There isn't at the moment.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
