[Freeipa-users] Kerberos for cronjoob

Alexander Bokovoy abokovoy at redhat.com
Fri Nov 7 09:17:41 UTC 2014 

On Fri, 07 Nov 2014, Sumit Bose wrote:
>On Thu, Nov 06, 2014 at 10:28:34PM -0500, Dmitri Pal wrote:
>> On 11/06/2014 08:20 PM, Thomas Lau wrote:
>> >?Hi,
>> >
>> >Is it possible to renew ticket once in a while for cronjob to run on
>> >certain users? How do you guys run cronjob on Kerberos user without
>> >getting ticket expire?
>> >
>> >Sent from my BlackBerry 10 smartphone.
>> >
>> >
>> Here is an example: http://adam.younglogic.com/2013/05/kerberizing-postgresql-with-freeipa-for-keystone/
>>
>> But starting kerberos  1.11 kerberos library should be able to automatically
>> renew the ticket for service accounts
>> http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation
>
>SSSD can renew tickets as well, see krb5_renew_interval option described
>in sssd-krb5(5).
>
>Depending on how often your cronjob is run and what is the lifetime of
>your tickets you might just call 'kinit -R' at the beginning of the
>cronjob.
Note that it will only work if your KDC allows to issue renewable
tickets. FreeIPA by default does allow it but you have to explicitly ask
for renewable time longer than the ticket validity time:
$ kinit -r 15h -l 10h admin                                                                                                                         
Password for admin at IPACLOUD.TEST: 
$ klist -edf                                                                                                                                                                      
Ticket cache: KEYRING:persistent:1000:1000
Default principal: admin at IPACLOUD.TEST

Valid starting       Expires              Service principal
07.11.2014 11:10:56  07.11.2014 21:10:53  krbtgt/IPACLOUD.TEST at IPACLOUD.TEST
        renew until 08.11.2014 02:10:53, Flags: FRIA
        Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 

as can be seen above, I've asked for 15h of renewal time while ticket
lifetime is 10h. I'm getting back a TGT that has R flag set (renewable)
and that can be renewed 5h beyond the expiration time. Not that 5 hours
are helpful here because if ticket is expired, it cannot be renewed
anymore even it the R flag is there but renewal time has to be longer
than the ticket lifetime in order to get 'renewable' flag set.
-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list