k5start -K and ticket renewals

Russ Allbery eagle at eyrie.org
Thu Jan 30 00:18:18 EST 2014


<moritz.willers at ubs.com> writes:

> I like this much better than -K implying to constantly fetch new
> tickets. On one host it may be ok to change the -K behaviour; but if you
> are running k5start on thousands or ten thousands of hosts, the
> multiplying factor cannot be neglected. It may also be very intentional
> to only refresh the ticket once a day but check regularly that it didn't
> get lost by accident.

Okay, I think I'm hearing enough opposition to the plan to just change -K
that I'm going to go with the previous plan of adding a new -a option that
says to renew the ticket each time it wakes up.  I'm also going to support
using -H with -K, where -H is the minimum ticket lifetime and the renewal
decision will be based on maintaining at least that minimum ticket
lifetime.

> If the behaviour is changing and k5start refresh the ticket more
> regularly, then the updating of the CC must always be atomic. If I
> remember correctly, this is right now only the case if -o, -g or -m are
> specified.

I think this is true regardless, and I'm tentatively planning on changing
k5start to always obtain tickets in a new ticket cache file and then
rename it over top of the existing ticket cache in the next release.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list