Linux Daemons and Kerberos Tickets

Javier Palacios javiplx at gmail.com
Thu Apr 9 04:05:33 EDT 2009


On Tue, Apr 7, 2009 at 3:10 PM,  <neelsmail at rediffmail.com> wrote:
> Hi,
>
> I wanted to know whether there are any recommendations regarding
> following scenario:
>
> - In order to Linux daemons to be running in kerberos/Active Directory
> users' context, a (krbtgt) ticket is needed and is fetched by kinit.
> - But this ticket is usually valid for some time depending on user
> configuration and it needs to be renewed.
>
> Is there a recommended way of renewing/getting new ticket for the
> user?
>
> One of the ways suggested to me was run kinit externally as cronjob
> for every user you want every n hours. But that seems dangerous to me.

If you mean a daemon which requires kerberos authentication (for
example sshd or httpd) you don't need to kinit anything but use a
keytab, that is read when required.

If you mean a daemon which acts as a client, then you need a TGT for
that user/daemon, and either you code the kinit stuff whithin, or you
use kinit from an external cron. I don't see any other alternatives.

Javier Palacios



More information about the Kerberos mailing list