-   Linux - Newbie (
-   -   Linux Daemons and Kerberos Tickets (

neel_learning_linux 04-07-2009 08:03 AM

Linux Daemons and Kerberos Tickets

I wanted to know whether there are any recommendations regarding following scenario:

- In order to Linux daemons to be running in kerberos/Active Directory users' context, a (krbtgt) ticket is needed and is fetched by kinit.
- But this ticket is usually valid for some time depending on user configuration and it needs to be renewed.

Is there a recommended way of renewing/getting new ticket for the user?

One of the ways suggested to me was run kinit externally as cronjob for every user you want every n hours. But that seems dangerous to me.

Putting kinit call to .bashrc sounds good to me but that will fetch ticket only for default duration. Is there a better way? Or how do admins do it usually?

Thanks in advance,

Linuxchuck 04-07-2009 07:40 PM

It's possible that the solution to your requirement will lie in the use (and proper combination of) pam_winbind and the line "winbind refresh tickets" in /etc/samba/smb.conf. I suggest you google those a bit, and see if it turns up a few good ideas for you.

Since this is related to a daemon process, and not a particular live user, you may need to schedule some sort of activity (through cron for example) to connect to an authenticated service as the daemon user account, thus forcing the refresh to occur.

With the limited amount of information you've provided concerning the distro involved, and the daemon process you are working with, I'm afraid this is the best suggestion I can provide.

Best of luck...

All times are GMT -5. The time now is 07:59 PM.