Dave Love <[EMAIL PROTECTED]> writes: > "Perry E. Metzger" <[EMAIL PROTECTED]> writes: > >> So, you just run kinit in cron as the specified daemon user with the >> appropriate flags and it will renew its own tickets and all is well. > > Who says you can even run kinit from cron if it was appropriate? > >> I'm not sure why people think this is all so mysterious. Can you >> explain what is hard about this? > > That's just hand-waving. Hard things include how you integrate it with > a distributed batch system, for a start.
Kerberos is already a distributed system. Machines at MIT have been refreshing their server tickets for what, 20 years now? This is not hard. > Making it tolerably secure too. That's why you use kerberos. > I don't want all users to keep keytabs around everywhere > (synchronized with password changes), You don't need to do that. If the issue is a user process on a remote machine that needs user rather than server credentials, you forward tickets or design things so server credentials are good enough to get the needed resources once things have started. You can re-forward tickets as often as you want. There are large firms I know that run this stuff in production and it really does work. Perry _______________________________________________ Beowulf mailing list, Beowulf@beowulf.org To change your subscription (digest mode or unsubscribe) visit http://www.beowulf.org/mailman/listinfo/beowulf
