I would personally stick with using a supplied keytab. If you do switch to renewing tickets, be aware that renewal has to happen while the old tickets are still valid. If your crontab ever misses a renewal, it will break until you kinit again by hand.
The theoretical advantage of renewal over a known password is that renewable tickets can be blacklisted if stolen. But blacklisting is not implemented in the MIT KDC, so it's hard to realize this advantage. On Thu, 2009-03-26 at 17:53 +0100, [email protected] wrote: > I'm having a background process which requires a service principal to > work correctly. > Currently, I'm having a cron job which does a kinit (with the keytab > supplied) for that service principal. > Wouldn't it be better to renew the ticket instead of doing the above? > As a result, I would have to set the renewable lifetime for that service > principal to unlimited. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
