Question on k5start daemon-related example in k5start manual
Holger Rauch
holger.rauch at empic.de
Tue Aug 31 09:07:29 EDT 2010
Hi Russ (and all the others as well),
I came accross
http://www.eyrie.org/~eagle/software/kstart/k5start.html
and saw the following excerpt (sample code) for use in (Debian) init scripts
===
Starts k5start as a daemon using the Debian start-stop-daemon
management program. This is the sort of line that one could put into a
Debian init script:
start-stop-daemon --start --pidfile /var/run/k5start.pid \
--exec /usr/local/bin/k5start -- -b -p
/var/run/k5start.pid \
-f /etc/krb5.keytab host/example.com
This uses /var/run/k5start.pid as the PID file and obtains
host/example.com tickets from the system keytab file. k5start would
then be stopped with:
start-stop-daemon --stop --pidfile /var/run/k5start.pid
rm -f /var/run/k5start.pid
This code could be added to an init script for Apache, for
example, to start a k5start process alongside Apache to manage its
Kerberos credentials.
===
My questions:
- When using k5start in this way, should only host principals be used
or should it also work with user principals?
- What maximum ticket lifetime is assumed/recommended for the used
principal(s) so that this particular approach works as expected?
(By "as expected" I mean that Apache runs possibly indefinitely
(provided that the Apache process doesn't dump core :-) ),
i.e. without having to be restarted manually just in order
to obtain a new, "fresh" Kerberos ticket for the corresponding
principal).
Thanks in advance & kind regards,
Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20100831/040b5e6e/attachment.bin
More information about the Kerberos
mailing list