ticket renew lifetime limited by Windows KDC policy

Russ Allbery rra at stanford.edu
Mon Sep 6 17:25:24 EDT 2010


Di Pe <dipeit at gmail.com> writes:

> This seems to be a good idea. I used
> export PROMPT_COMMAND="k5start -H 500"
> and it does what it's supposed to do.

> One issue tough: k5start seems to look at ticket_lifetime instead of
> renew_liefetime. ticket_lifetime is enforced to 10 hours by active
> directory. If I don't use a cron job to renew the ticket users would
> have to enter their credentials every few hours or so which is not
> good if they run jobs over night.

Yeah, you ideally want k5start to renew the ticket if it can, and if not,
prompt.  That's something that k5start -H should probably just do by
default.  It doesn't do that right now and it will require some coding.
I'll add it to the to-do list.

> Another problem we notice on our terminal server is that user sessions
> are completely locking up when a ticket expires on a nfs mounted home
> directory. It would be good if we had a cron job that forces a logout
> for users where the ticket is about to expire in 60 minutes or less.  Is
> there a way to check for a happy ticket in a shell script without
> getting a prompt if the ticket is not happy?

Also a good idea.  There isn't at the moment.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list