On Thu, 2012-02-16 at 09:45 -0500, Simo Sorce wrote: > On Thu, 2012-02-16 at 15:31 +0100, Ondrej Valousek wrote: > > Hi List, > > > > Is it planned for sssd to allow it to renew user's Kerberos cache > > in /tmp/krb5cc_XXXXXX automatically (i.e. much like what the lsass.exe > > service does in Windows)? > > For this to happen, we would need to cache user's plaintext password > > in memory I know, but could be handy in some situations.... > > We already do that. > > See sssd-krb5(5), > there is an option named krb5_store_password_if_offline, it is not > enabled by default. > > The password is stored in the keyring in pinned memory, and it is > removed as soon as we are able to obtain a TGT.
Sorry disregard this, I didn't realize you said "renew". Also FWIW Windows also does not store the password for renewals, as renewals do not need a password. Windows will simply obtain a new ticket every time you unlock the screen (just like we do), and has default renewal times of a week or so (defaults depend on AD version and/or domain policies). (Windows does cache the NT hash in most cases, but that's due to NTLM support, not really Kerberos related) Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
