Bug #7466
openAvoid kinit on every IPA request in realm smart proxy
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1133940
Description of problem:
The code in rkerberos.rb to obtain a ticket for communicating with an IPA server calls krb5.get_init_creds_keytab. This is a kinit using a keytab and is inefficient.
There are a number of possible solutions. Here are some suggestions, depending on RHEL release:
RHEL 6:
- Use a cron job to manage the ccache by doing a kinit every 6 hours or so.
OR
- Add logic to init_krb5_ccache to pull apart the ccache and look at expiration times before calling krb5.get_init_creds_keytab.
RHEL 7:
MIT Kerberos 1.11 has the ability to do client-initiated tickets via a keytab. In other words, an automatic kinit if a keytab is present. To do this set the environment variable KRB5_CLIENT_KTNAME to point to the keytab and KRB5CCNAME to the location of the ccache, then do a GSSAPI call such as gss_inquire_cred().
Version-Release number of selected component (if applicable):
foreman-proxy-1.6.0.8-1.el6sat.noarch
Updated by Dominic Cleal over 9 years ago
- Category set to Realm
- Status changed from New to Assigned
Updated by Dominic Cleal over 9 years ago
- Related to Feature #7467: support gss-proxy in realm smart proxy added
Updated by Stephen Benjamin over 7 years ago
- Status changed from Assigned to New
- Assignee deleted (
Stephen Benjamin)