Project

General

Profile

Bug #7466

Avoid kinit on every IPA request in realm smart proxy

Added by Dominic Cleal about 8 years ago. Updated almost 6 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Realm
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1133940
Description of problem:

The code in rkerberos.rb to obtain a ticket for communicating with an IPA server calls krb5.get_init_creds_keytab. This is a kinit using a keytab and is inefficient.

There are a number of possible solutions. Here are some suggestions, depending on RHEL release:

RHEL 6:

- Use a cron job to manage the ccache by doing a kinit every 6 hours or so.

OR

- Add logic to init_krb5_ccache to pull apart the ccache and look at expiration times before calling krb5.get_init_creds_keytab.

RHEL 7:

MIT Kerberos 1.11 has the ability to do client-initiated tickets via a keytab. In other words, an automatic kinit if a keytab is present. To do this set the environment variable KRB5_CLIENT_KTNAME to point to the keytab and KRB5CCNAME to the location of the ccache, then do a GSSAPI call such as gss_inquire_cred().

Version-Release number of selected component (if applicable):

foreman-proxy-1.6.0.8-1.el6sat.noarch


Related issues

Related to Smart Proxy - Feature #7467: support gss-proxy in realm smart proxyNew2014-09-16

History

#1 Updated by Dominic Cleal about 8 years ago

  • Category set to Realm
  • Status changed from New to Assigned

#2 Updated by Dominic Cleal about 8 years ago

  • Related to Feature #7467: support gss-proxy in realm smart proxy added

#3 Updated by Stephen Benjamin almost 6 years ago

  • Status changed from Assigned to New
  • Assignee deleted (Stephen Benjamin)

Also available in: Atom PDF