ticket renew lifetime limited by Windows KDC policy
Russ Allbery
rra at stanford.edu
Mon Sep 6 17:25:24 EDT 2010
Di Pe <dipeit at gmail.com> writes:
> This seems to be a good idea. I used
> export PROMPT_COMMAND="k5start -H 500"
> and it does what it's supposed to do.
> One issue tough: k5start seems to look at ticket_lifetime instead of
> renew_liefetime. ticket_lifetime is enforced to 10 hours by active
> directory. If I don't use a cron job to renew the ticket users would
> have to enter their credentials every few hours or so which is not
> good if they run jobs over night.
Yeah, you ideally want k5start to renew the ticket if it can, and if not,
prompt. That's something that k5start -H should probably just do by
default. It doesn't do that right now and it will require some coding.
I'll add it to the to-do list.
> Another problem we notice on our terminal server is that user sessions
> are completely locking up when a ticket expires on a nfs mounted home
> directory. It would be good if we had a cron job that forces a logout
> for users where the ticket is about to expire in 60 minutes or less. Is
> there a way to check for a happy ticket in a shell script without
> getting a prompt if the ticket is not happy?
Also a good idea. There isn't at the moment.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list