On 09/25/2013 09:41 AM, Stephen Gallagher wrote:
On 09/25/2013 08:40 AM, Michael Gliwinski wrote:
> Hi all,

> Currently SSSD (when configured with krb5_renew_interval, etc.)
> will only renew tickets it itself created.  Is it possible to
> somehow tell it to also look after some other ccaches?

> The use case I have is for sessions started e.g. via sudo -u +
> manual kinit or SSH PKI or SSH GSS-API (i.e. passwordless logins).
> Those are sometimes long- running, but the tickets won't be renewed
> automatically currently.

> If not currently possible, I was thinking of creating some simple
> program that would call SSSD functions to "register" a specified
> ccache path (krb5_save_ccname + add_tgt_to_renew_table?).  Do you
> see any problems with this approach?  Would those functions be
> somehow accessible from Python API?


The SSSD team has been considering handling this for some time. The
tickets tracking it are:

https://fedorahosted.org/sssd/ticket/1497 (targeted for 1.13)
and
https://fedorahosted.org/sssd/ticket/1723 (currently deferred)


I think the use case is a bit different.
If you are using automated logins then it is better to have special user and give him a keytab. You can then use a cron job to kinit periodically using this keytab.
Starting Kerberos 1.11 (F19, RHEL7) every GSSAPI connection would automatically force underlaying kerberos library to reacquire ticket for the user if it is not available so cron job can be just removed. Also we recommend using GSS proxy (F19, RHEL7) in this case for the better access control and privilege separation. https://fedorahosted.org/gss-proxy/

> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users


--
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/