[Freeipa-users] Kerberos for cronjoob

Thomas Lau tlau at tetrioncapital.com
Fri Nov 7 09:10:22 UTC 2014 

Hi,

​Thanks for replying.

I am running Ubuntu 14 IPA client, here is the result when I try to run
kinit -R
tlau at mocha:~$ kinit -R
kinit: KDC can't fulfill requested option while renewing credentials
tlau at mocha:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1218400003_rZ7eX7
Default principal: tlau at DOMAIN.COM

Valid starting       Expires              Service principal
2014-11-07T16:59:42  2014-11-08T16:59:42  krbtgt/DOMAIN.COM at DOMAIN.COM
tlau at mocha:~$ date
Fri Nov  7 17:09:24 HKT 2014​

Any idea why?


On Fri, Nov 7, 2014 at 4:41 PM, Sumit Bose <sbose at redhat.com> wrote:

> On Thu, Nov 06, 2014 at 10:28:34PM -0500, Dmitri Pal wrote:
> > On 11/06/2014 08:20 PM, Thomas Lau wrote:
> > >?Hi,
> > >
> > >Is it possible to renew ticket once in a while for cronjob to run on
> > >certain users? How do you guys run cronjob on Kerberos user without
> > >getting ticket expire?
> > >
> > >Sent from my BlackBerry 10 smartphone.
> > >
> > >
> > Here is an example:
> http://adam.younglogic.com/2013/05/kerberizing-postgresql-with-freeipa-for-keystone/
> >
> > But starting kerberos  1.11 kerberos library should be able to
> automatically
> > renew the ticket for service accounts
> > http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation
>
> SSSD can renew tickets as well, see krb5_renew_interval option described
> in sssd-krb5(5).
>
> Depending on how often your cronjob is run and what is the lifetime of
> your tickets you might just call 'kinit -R' at the beginning of the
> cronjob.
>
> bye,
> Sumit
>
> >
> > --
> > Thank you,
> > Dmitri Pal
> >
> > Sr. Engineering Manager IdM portfolio
> > Red Hat, Inc.
> >
>
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141107/7aa7d318/attachment.htm>

More information about the Freeipa-users mailing list