Project

General

Profile

Actions
Copy link

Bug #7466

open

Avoid kinit on every IPA request in realm smart proxy

Added by Dominic Cleal over 9 years ago. Updated over 7 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Realm
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
1133940
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1133940
Description of problem:

The code in rkerberos.rb to obtain a ticket for communicating with an IPA server calls krb5.get_init_creds_keytab. This is a kinit using a keytab and is inefficient.

There are a number of possible solutions. Here are some suggestions, depending on RHEL release:

RHEL 6:

- Use a cron job to manage the ccache by doing a kinit every 6 hours or so.

OR

- Add logic to init_krb5_ccache to pull apart the ccache and look at expiration times before calling krb5.get_init_creds_keytab.

RHEL 7:

MIT Kerberos 1.11 has the ability to do client-initiated tickets via a keytab. In other words, an automatic kinit if a keytab is present. To do this set the environment variable KRB5_CLIENT_KTNAME to point to the keytab and KRB5CCNAME to the location of the ccache, then do a GSSAPI call such as gss_inquire_cred().

Version-Release number of selected component (if applicable):

foreman-proxy-1.6.0.8-1.el6sat.noarch

Related issues 1 (1 open0 closed)

Related to Smart Proxy - Feature #7467: support gss-proxy in realm smart proxyNew09/16/2014Actions
Actions
Copy link
 #1

Updated by Dominic Cleal over 9 years ago

  • Category set to Realm
  • Status changed from New to Assigned
Actions
Copy link
 #2

Updated by Dominic Cleal over 9 years ago

  • Related to Feature #7467: support gss-proxy in realm smart proxy added
Actions
Copy link
 #3

Updated by Stephen Benjamin over 7 years ago

  • Status changed from Assigned to New
  • Assignee deleted (Stephen Benjamin)
Actions
Copy link

Also available in: Atom PDF