Ticket #369 (closed enhancement: fixed)

Opened 4 years ago

Last modified 2 years ago

Support automatic Kerberos ticket renewal

Reported by: sgallagh Owned by: sbose
Priority: minor Milestone: SSSD 1.5.0
Component: Kerberos Provider Version: 1.0.0
Keywords: Cc:
Blocked By: Blocking:
Tests Updated: no Coverity Bug:
Patch Submitted: Red Hat Bugzilla: 0
Design link:
Feature Milestone:
Design review: Fedora test page:
Chosen: Candidate to push out:
Release Notes:

Description

Provide a way to dynamically renew user tickets. It is a convenience utility and daemon. More details: http://www.freeipa.org/page/Automatic_Ticket_Renewal

Change History

comment:1 Changed 4 years ago by sbose

  • Milestone changed from NEEDS_TRIAGE to SSSD 1.1

comment:2 Changed 4 years ago by sgallagh

  • Milestone changed from SSSD 1.1 to SSSD 1.2

comment:3 Changed 4 years ago by sgallagh

  • Milestone changed from SSSD 1.2 to SSSD 1.3

comment:4 Changed 4 years ago by sgallagh

  • Owner changed from sbose to sgallagh

Per discussion during an SSSD team status meeting, we propose the following solution:

On kinit, store the ticket expiration time in the LDB. Create a new process (ticketmonger?). At startup, it will query the LDB for users with tickets not yet expired. It will create a tevent_timer event for halfway before ticket expiration (or immediately, if more than half the time has passed) When this event fires, ticketmonger will spawn the kerberos child and perform a ticket renewal using their previous ticket, if the backend is online. If the backend is not online when the event fires, we will queue it for action when the backend becomes online. At that time, the expiration time will be rechecked, in case it has passed in the meantime.

We will add an SBUS method call for ticketmonger to notify the running process that a new ticket should be monitored.

comment:5 Changed 4 years ago by dpal

  • Owner changed from sgallagh to jhrozek

comment:6 Changed 4 years ago by jhrozek

  • Priority changed from major to minor

Lowering the priority since we need to scope this issue once more taking Eugene's patches into account.

comment:7 Changed 4 years ago by mmoeller

Hi,

has this been implemented in the meanwhile? As expired tickets will break mounted cifs homes, too.

Greets Marcus

comment:8 Changed 4 years ago by sgallagh

No, we have not yet implemented this feature. It is currently scheduled for inclusion in SSSD 1.5.0, which at the time of this writing is targeted at January of 2011.

We are aware that this is a highly-anticipated feature.

comment:9 Changed 3 years ago by sbose

  • Owner changed from jhrozek to sbose

comment:10 Changed 3 years ago by sbose

  • Status changed from new to assigned

comment:12 Changed 2 years ago by dpal

  • Red Hat Bugzilla set to 0
Note: See TracTickets for help on using tickets.