k5start -K and ticket renewals

moritz.willers@ubs.com moritz.willers at ubs.com
Tue Jan 28 06:10:45 EST 2014


I like this much better than -K implying to constantly fetch new
tickets. On one host it may be ok to change the -K behaviour; but if you
are running k5start on thousands or ten thousands of hosts, the
multiplying factor cannot be neglected. It may also be very intentional
to only refresh the ticket once a day but check regularly that it didn't
get lost by accident.

If the behaviour is changing and k5start refresh the ticket more
regularly, then the updating of the CC must always be atomic. If I
remember correctly, this is right now only the case if -o, -g or -m are
specified.

- mo

-----Original Message-----
From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
Behalf Of Nico Williams
Sent: 17 January 2014 00:02
To: Russ Allbery
Cc: kerberos at mit.edu
Subject: Re: k5start -K and ticket renewals

Ideally the auto-renewal wake-up timer should be automatically set
from the TGT's lifetime (and libkrb5 should automatically handle any
faster expiration of non-initial tickets).  Then -K shouldn't be
needed.

The hard part is how to handle transient renewal errors, particularly
when the ticket's original lifetime was short (but renew lifetime
long).

Nico
--
________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Visit our website at http://www.ubs.com 

This message contains confidential information and is intended only 
for the individual named. If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail. Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system. 

E-mails are not encrypted and cannot be guaranteed to be secure or 
error-free as information could be intercepted, corrupted, lost, 
destroyed, arrive late or incomplete, or contain viruses. The sender 
therefore does not accept liability for any errors or omissions in the 
contents of this message which arise as a result of e-mail transmission. 
If verification is required please request a hard-copy version. This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities 
or related financial instruments. 

UBS Limited is authorised by the Prudential Regulation Authority 
and regulated by the Financial Conduct Authority and the Prudential 
Regulation Authority.

UBS AG is a public company incorporated with limited liability in 
Switzerland domiciled in the Canton of Basel-City and the Canton of 
Zurich respectively registered at the Commercial Registry offices in 
those Cantons with Identification No: CH-270.3.004.646-4 and having 
respective head offices at Aeschenvorstadt 1, 4051 Basel and 
Bahnhofstrasse 45, 8001 Zurich, Switzerland and is authorised and 
regulated by the Financial Market Supervisory Authority in 
Switzerland.  Registered in the United Kingdom as a foreign company 
with No: FC021146 and having a UK Establishment registered at 
Companies House, Cardiff, with No: BR 004507.  The principal office 
of UK Establishment: 1 Finsbury Avenue, London EC2M 2PP.  In the 
United Kingdom, UBS AG is authorised by the Prudential Regulation 
Authority and subject to regulation by the Financial Conduct 
Authority and limited regulation by the Prudential Regulation 
Authority.  Details about the extent of our regulation by the 
Prudential Regulation Authority are available from us on request.

UBS reserves the right to retain all messages. Messages are protected 
and accessed only in legally justified cases. 



More information about the Kerberos mailing list