justin-stephenson
2021-03-15 15:26:01 UTC
URL: https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented:
"""
I suppose the other side effect is that falllback to `auth_provider=krb5` renew config options would no longer work.
"""
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-799506171
Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented:
"""
Ah, I missed the last patch: `KCM: Disable responder idle timeout with renewals`. So it will work correclty. But I wonder if it would be better to keep the idle timeout enabled. What we could do is to make systemd timer send a SSSD-specific KCM op code periodically and renew the tickets per-request. This would also simplify the logic by a lot since you would not have to keep the hash table and timers.
I'm fine with this approach, but if the systemd timer file is installed conditionally at build time(if KCM renewals are built), then what interval value, i.e. amount of time that KCM wakes up to attempt renewals, should we set in the systemd timer file? Currently the renew interval is defined with the `krb5_renew_interval` option in sssd.conf. This is an important consideration because if the renewal interval is too high then we could miss renewing tickets that have already expired, too low and it may add unnecessary KCM load.I suppose the other side effect is that falllback to `auth_provider=krb5` renew config options would no longer work.
"""
See the full comment at https://github.com/SSSD/sssd/pull/5450#issuecomment-799506171