Keytab-based initiator creds design

[Russ Allbery]

Simo Sorce <simo at redhat.com> writes:

> Well I am pushing for getting you a ccache at login time, my idea is
> that the user shouldn't even know nor care that they have a ccache and
> not have to learn to use kinit. Of course admins need to, but I would
> expect them to know what they are doing :)

This works up until the point when your ticket cache expires.  Refreshing
an expired ticket cache is the primary reason why our users run kinit.
(And renewable tickets reduce this problem but don't eliminate it; wanting
to stay logged in longer than a reasonable renewable ticket lifetime is
common.)  If you have a GUI session, you can spawn some local helper that
does kinit for the user, but if they're logged in remotely, you can't
really do that.

The other reason why our users run kinit is because they have OpenSSH
clients that can do GSS-API authentication but can't (or aren't configured
to) do ticket delegation, which is depressingly common.

> The problem with multiple ccache per sessions are things like NFS or
> CIFS. Which ccache should they pick for file access when you have
> multiple ones ? How do they find them ?

Yeah, that's the conversation that Nico and I were just having.  :)

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>