long running kadm5 client

Greg Hudson ghudson at MIT.EDU
Sat Feb 4 00:22:33 EST 2012


On 02/03/2012 09:50 PM, Chris Hecker wrote:
> (Notice): Authentication attempt failed: 1.2.3.4, GSS-API error strings are:
> (Notice):     The referenced context has expired

What version of krb5 is the server running?  We stopped expiring
established gss contexts in krb5 1.8.

> Or, if kadmind gets restarted but the daemon doesn't (after kadmind)
> then the old connection is stale and fails.

Sure.  There's no getting around having to re-establish a connection if
kadmind is restarted.

> My first inclination here is to read the keytab entry I need into a
> MEMORY keytab, so it'll be around after I drop privileges, and then
> occasionally ping kadmind at the top of the main wait loop to see if
> the connection has died, and try to reconnect.

kadm5_get_privs seems like a reasonable proxy for ping.  Alternatively,
you could wait until you have an actual request to make, and reestablish
the connection and retry (once, or several times with some backoff) if
it fails with KADM5_RPC_ERROR.


More information about the Kerberos mailing list