Inittab launching K5start too soon
Greg Hudson
ghudson at MIT.EDU
Fri May 13 08:22:46 EDT 2011
On Thu, 2011-05-12 at 13:58 -0400, Nico Williams wrote:
> Really, what should happen is that mech_krb5's gss_init_sec_context()
> automatically gets a TGT using a keytab if there's a keytab available.
> Solaris' implementation does that, though sadly it only does it for
> processes running as root.
I've thought about handling this at the ccache layer, although I was
never comfortable with the kind of syntax required to stuff a keytab
name, a subsidiary ccache name, and some auxiliary parameters into a
ccache specification.
AUTO:kt=FILE:/etc/krb5.keytab;cc=FILE:/tmp/filename;min_life=1h ... it
doesn't seem very friendly.
So, maybe it's simpler to handle it at the GSSAPI layer. Heimdal does
this, storing the acquired credentials in a memory ccache. That
approach could generate a lot of unnecessary AS-REQs, particularly in
combination with SPNEGO. On the plus side, it finesses the issue of
whether to get a new credential with the keytab or use an existing one
which is about to expire.
More information about the Kerberos
mailing list