On 10/13/2016 09:34 PM, Kevin Fenzi wrote:
>> * If we are not completely retiring the koji CA, are we
> If not retired it has to be replaced, could be certs from freeipa
> that auto renew with certmonger, which i suspect users would like
> better than entering their kerberos password once a day.
well, we can adjust the kerberos settings. If they can renew for a week
would that be sufficent?
Couldn't users simply generate keytab for themselves? Koji client
supports keytabs directly (via setting in koji.conf or --keytab param),
for other services it should be possible to run "kinit -k" (which can
even be ran from startup stripts, cron etc.)