On Fri, 07 Nov 2014, Sumit Bose wrote:
On Thu, Nov 06, 2014 at 10:28:34PM -0500, Dmitri Pal wrote:
On 11/06/2014 08:20 PM, Thomas Lau wrote:
>Is it possible to renew ticket once in a while for cronjob to run on
>certain users? How do you guys run cronjob on Kerberos user without
>getting ticket expire?
>Sent from my BlackBerry 10 smartphone.
Here is an example: 

But starting kerberos  1.11 kerberos library should be able to automatically
renew the ticket for service accounts

SSSD can renew tickets as well, see krb5_renew_interval option described
in sssd-krb5(5).

Depending on how often your cronjob is run and what is the lifetime of
your tickets you might just call 'kinit -R' at the beginning of the
Note that it will only work if your KDC allows to issue renewable
tickets. FreeIPA by default does allow it but you have to explicitly ask
for renewable time longer than the ticket validity time:
$ kinit -r 15h -l 10h admin Password for ad...@ipacloud.test: $ klist -edf Ticket cache: KEYRING:persistent:1000:1000
Default principal: ad...@ipacloud.test

Valid starting       Expires              Service principal
07.11.2014 11:10:56  07.11.2014 21:10:53  krbtgt/ipacloud.t...@ipacloud.test
       renew until 08.11.2014 02:10:53, Flags: FRIA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
as can be seen above, I've asked for 15h of renewal time while ticket
lifetime is 10h. I'm getting back a TGT that has R flag set (renewable)
and that can be renewed 5h beyond the expiration time. Not that 5 hours
are helpful here because if ticket is expired, it cannot be renewed
anymore even it the R flag is there but renewal time has to be longer
than the ticket lifetime in order to get 'renewable' flag set.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to