Hi, We use kerberized nfs for our home directories on desktops and computational servers. Users login via pam_krb5 and tickets are refreshed via a cron job that checks if users are still logged on and executes a kinit -R /tmp/ticketcache if they are to refresh the ticket. If they are logged off their ticket cache is deleted. If the ticket expires users are instantly cut off their home directory and almost all processes freeze. Sometimes a reboot is required. Some users stay logged onto a system for longer than 30 days. To minimize the likelihood of this "freeze" to happen we increased renew_lifetime from 7d to 90d in the local krb5.conf. Unfortunately the renew lifetime is enforced by our Windows 2k3 KDC (http://technet.microsoft.com/en-us/library/cc738269%28WS.10%29.aspx) . We are debating if we should increase the ActiveDirectory policy from 7d to 120d for all users.
What is the specific risk of increasing the renew lifetime? to 30days, 90days, 120days? For Windows and Unix systems? Please take into account that our cron job is deleting all tickets of users that are currently not logged on every hour. Also we need to use weak crypto because our NetApp requires it. What would be a better Kerberos setup? pam_winbind instead of pam_krb5? Other tools that can refresh/replace the TGT instead of renewing it? These tools would have to store the user's password in memory, wouldn't they? Thanks much for your help dipe ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
