k5start -K and ticket renewals

Russ Allbery eagle at eyrie.org
Tue Jan 28 13:42:07 EST 2014


Nico Williams <nico at cryptonector.com> writes:
> On Tue, Jan 28, 2014 at 5:10 AM,  <moritz.willers at ubs.com> wrote:

>> If the behaviour is changing and k5start refresh the ticket more
>> regularly, then the updating of the CC must always be atomic. If I
>> remember correctly, this is right now only the case if -o, -g or -m are
>> specified.

> As to atomicity... the FILE ccache currently depends on POSIX file
> locking at least for additions of tickets, and this is a disaster
> because POSIX file locking is a disaster (because of its drop locks on
> first close semantics).  But yes, *renewal* and refresh should always
> result in a rename(2) into place, which should be atomic.

By that do you mean that the Kerberos libraries do that, or that I need to
do that in k5start?

I assume krenew is fine (to the extent that POSIX locking is fine).

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list