On Thu, 2012-02-16 at 15:31 +0100, Ondrej Valousek wrote: > Hi List, > > Is it planned for sssd to allow it to renew user's Kerberos cache > in /tmp/krb5cc_XXXXXX automatically (i.e. much like what the lsass.exe > service does in Windows)? > For this to happen, we would need to cache user's plaintext password > in memory I know, but could be handy in some situations....
We already do something similar (starting with SSSD 1.5.x). If your KDC allows tickets to be requested as "renewable", SSSD can be configured to automatically perform this renewal on your behalf. "Renewable" in Kerberos parlance means that the TGT that you currently have can be presented as sufficient authenticaion to have a new TGT issued (for some duration). See the sssd-krb5(5) manpage and search for "krb5_renewable_lifetime" and "krb5_renew_interval", both of which need to be set to enable this feature.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
