long running kadm5 client
Chris Hecker
checker at d6.com
Fri Feb 3 21:50:42 EST 2012
I have a daemon that opens a kadm5 connection while it's root and then
drops to nobody. The problem is if the connection dies, then I'm not
sure how to "refresh" the kadm5 connection.
The connection dies for two reasons. First, it will eventually time out
with this in kadmind.log:
(Error): check_rpcsec_auth: failed inquire_context, stat=786432
(Notice): Authentication attempt failed: 1.2.3.4, GSS-API error strings are:
(Notice): The referenced context has expired
(Notice): Unknown error
(Notice): GSS-API error strings complete.
(Error): Authentication attempt failed: 1.2.3.4, RPC authentication flavor 6
Or, if kadmind gets restarted but the daemon doesn't (after kadmind)
then the old connection is stale and fails.
In both of these cases, the apis start returning KADM5_RPC_ERROR,
"Communication failure with server".
My first inclination here is to read the keytab entry I need into a
MEMORY keytab, so it'll be around after I drop privileges, and then
occasionally ping kadmind at the top of the main wait loop to see if the
connection has died, and try to reconnect. The problem is, looking
through the kadm5 API, I wasn't sure what the best way to ping is
without making the server to a bunch of work (like get_principal). It
looks like kadm5_get_privs just does a round trip to get the 32 bit int
~0, which seems good, but is that a reliable way to do this? It "seems
to work" in my testing...
Or, is there a better way to do what I want to do? This daemon is a
server that creates ldap+krb5 accounts for a web signup system and it
needs to run "forever".
Thanks,
Chris
More information about the Kerberos
mailing list