long running kadm5 client
Chris Hecker
checker at d6.com
Sat Feb 4 02:53:21 EST 2012
It's a 1.9.2 kadmind...?
The retry thing is obviously the most efficient thing, but it's a bit of a pain code-wise, so I'm going to go with the get_privs ping until I need to optimize round trips, then I'll bite the retry bullet.
Chris
Greg Hudson <ghudson at MIT.EDU> wrote:
On 02/03/2012 09:50 PM, Chris Hecker wrote:
> (Notice): Authentication attempt failed: 1.2.3.4, GSS-API error strings are:
> (Notice): The referenced context has expired
What version of krb5 is the server running? We stopped expiring
established gss contexts in krb5 1.8.
> Or, if kadmind gets restarted but the daemon doesn't (after kadmind)
> then the old connection is stale and fails.
Sure. There's no getting around having to re-establish a connection if
kadmind is restarted.
> My first inclination here is to read the keytab entry I need into a
> MEMORY keytab, so it'll be around after I drop privileges, and then
> occasionally ping kadmind at the top of the main wait loop to see if
> the connection has died, and try to reconnect.
kadm5_get_privs seems like a reasonable proxy for ping. Alternatively,
you could wait until you have an actual request to make, and reestablish
the connection and retry (once, or several times with some backoff) if
it fails with KADM5_RPC_ERROR.
More information about the Kerberos
mailing list