[Freeipa-devel] Notes on server to server sasl
Rich Megginson
rmeggins at redhat.com
Fri Oct 31 15:18:54 UTC 2008
Simo Sorce wrote:
> On Fri, 2008-10-31 at 08:51 -0600, Rich Megginson wrote:
>
>> Simo Sorce wrote:
>>
>
>
>>> 1. if the connections are long lived you could decide to always acquire
>>> a new TGT before try to establish a connection.
>>>
>>>
>> I decided to take this approach. The connections are relatively long
>> lived and infrequently acquired.
>>
>
> Just one thing. Depending on kerberos libraries, if you run paste the
> credential expiration the connection may be dropped. I assume that is
> not a problem as a connection may always be dropped for whatever reason
> and I assume DS already have code to handle the situation in these
> cases.
>
Yes, that should be fine.
>
>>> 2. if connections are frequent, you might decide to check before a
>>> connection if credentials are still valid and renew if not.
>>>
>>>
>> Is there a way to do this without actually attempting to authenticate?
>> I've tried the validation functions, but I get an error from the KDC to
>> the effect of "validation is not permitted".
>>
>
> The credential cache contains the expiration date of the credentials,
> you should be able to check without contacting the KDC (and we do not
> want to contact the KDC at all, unless we need to acquire a ticket).
>
So if current datetime < cred expiration datetime, then the creds are
ok? No other validation needs to be done?
> Simo.
>
>
More information about the Freeipa-devel
mailing list