Keytab-based initiator creds design
Dmitri Pal
dpal at redhat.com
Thu Jun 7 18:26:17 EDT 2012
On 06/07/2012 06:07 PM, Russ Allbery wrote:
> Simo Sorce <simo at redhat.com> writes:
>
>> Well I am pushing for getting you a ccache at login time, my idea is
>> that the user shouldn't even know nor care that they have a ccache and
>> not have to learn to use kinit. Of course admins need to, but I would
>> expect them to know what they are doing :)
> This works up until the point when your ticket cache expires. Refreshing
> an expired ticket cache is the primary reason why our users run kinit.
> (And renewable tickets reduce this problem but don't eliminate it; wanting
> to stay logged in longer than a reasonable renewable ticket lifetime is
> common.) If you have a GUI session, you can spawn some local helper that
> does kinit for the user, but if they're logged in remotely, you can't
> really do that.
>
> The other reason why our users run kinit is because they have OpenSSH
> clients that can do GSS-API authentication but can't (or aren't configured
> to) do ticket delegation, which is depressingly common.
>
>> The problem with multiple ccache per sessions are things like NFS or
>> CIFS. Which ccache should they pick for file access when you have
>> multiple ones ? How do they find them ?
> Yeah, that's the conversation that Nico and I were just having. :)
>
We have SSSD for users and will have GSS proxy for automatic ticket
renewal so this is not a problem in a long run.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the krbdev
mailing list