On Mon, Nov 15, 2010 at 11:48:03PM -0500, Simo Sorce wrote:
On Mon, 15 Nov 2010 14:49:52 +0100
Sumit Bose <sbose(a)redhat.com> wrote:
> Hi,
>
> this series for patches add support for automatic Kerberos ticket
> renewal, see also trac ticket #369.
>
> There are several things I like to discuss:
> - in the ticket a separate process which should handle the renewal was
> mentioned. Currently the patches just create a timed task in the
> krb5 provider because I think most of the typically uses cases do not
> justify to overhead we create with a separate process. But I'm open
> for other arguments.
Good choice. Let's not have more processes around than needed .
> - I have added option to request TGT with a specific lifetime/renewal
> time. The corresponding option in krb5.conf have a trailing letter
> indicating the time unit. I have copied this behaviour to help
> migrations although we typically use only seconds without a unit in
> sssd.conf. Is this a good idea or shall I change it to seconds or do
> we want to support both formats.
Probably defaulting to seconds if no unit is given but also supporting
a unit specifier is a good idea. I'd support both.
ok, thanks for the comments. A patch which adds handles the missing unit
is attached.
bye,
Sumit
> - Currently everything is held in RAM and after a restart nothing is
> renewed automatically. I plan to send a new patch which checks all
> ccfiles we have in the cache and if renewal is possible it adds them
> to the list at startup. I think this approach makes more sense than
> writing the list of renewable ticket to disk. Do you agree?
A re-scan is a good idea, if the ccache is gone for some reason
(root reformatted /tmp during the outage for example) having a stale
list on disk just begs for a re-scan anyway.
Simo.
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel