API help with ticket expiry

Keagle, Chuck chuck.keagle at boeing.com
Thu Sep 28 18:49:38 EDT 2006 

Thanks for the pointer to look at starttime and endtime.  I'm pretty new
to Kerberos.  Still gathering quite a chunk of knowledge.

That should work when the same job is running a long time and needs to
update the ticket.

When the next batch job is submitted, it comes from a new execution of
the submit program.
This program has no left around Credential or Ticket structure.  If the
user's Credential is unexpired, I'm working the issue of not updating it
every time the same user submits a new job.  Sometimes, jobs are
submitted hundreds at a time through higher level job execution scripts.
Don't want to overwhelm the KDC.

With neither a krb5_ticket nor a krb5_creds current structure, I tried
using krb5_get_credentials using KRB5_GC_CACHED and a NULL in_cred
parameter but an endtime of 0 comes back from that call.

Other ideas are welcome.

----
Not all who wander are lost.

                          |     ----  ___o  |  chuck.keagle at boeing.com
Chuck Keagle              |  -------  \ <,  |  Work:  (425) 865-1488
Enterprise Servers:  HPC  |  ----- ( )/ ( ) |  Cell:  (425) 417-3434
http://card.web.boeing.com/Webcard.cfm?id=73990
 

> -----Original Message-----
> From: Ken Hornstein [mailto:kenh at cmf.nrl.navy.mil] 
> Sent: Wednesday, September 27, 2006 9:14 PM
> To: Keagle, Chuck
> Cc: kerberos at mit.edu
> Subject: Re: API help with ticket expiry 
> 
> >I have been able to create the ticket using encrypted 
> username/password 
> >and am now working on making sure the ticket doesn't expire 
> before the 
> >job ends.  Granted, this isn't the safest mechanism, but users don't 
> >want jobs to abort if ticket expires when they are not around.
> >
> >krb5_timeofday() will obtain what I need (seconds since 
> epoch) for the 
> >current time-of-day.
> >
> How would one go about obtaining the seconds since epoch for 
> the ticket
> >expiration time-of-day?
> 
> Assuming you have a krb5_ticket structure around (actually, I 
> suspect you really have a krb5_creds structure, so lets use 
> that), you can find the expiration time in 
> creds.times.endtime structure member.
> 
> --Ken
>

More information about the Kerberos mailing list