Question on k5start daemon-related example in k5start manual

Russ Allbery rra at stanford.edu
Tue Aug 31 15:50:07 EDT 2010


Holger Rauch <holger.rauch at empic.de> writes:

> My questions:

> - When using k5start in this way, should only host principals be used
>   or should it also work with user principals?

It will work with user principals, although of course you'll have to
generate a keytab.  What we tend to do at Stanford is create principals in
the service/* namespace where the bit after the slash is the name of the
application.

> - What maximum ticket lifetime is assumed/recommended for the used
>   principal(s) so that this particular approach works as expected?
>   (By "as expected" I mean that Apache runs possibly indefinitely
>   (provided that the Apache process doesn't dump core :-) ),
>   i.e. without having to be restarted manually just in order
>   to obtain a new, "fresh" Kerberos ticket for the corresponding
>   principal).

It shouldn't matter, since whatever lifetime you pick will control how
often k5start wakes up and renews the ticket.  We usually use settings of
-l 10h -K 30, which uses a 10 hour ticket lifetime and wakes up every
thirty minutes, but anything reasonable should be fine as long as the
ticket lifetime is equal to or less than your maximum ticket lifetime.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list