#369 Support automatic Kerberos ticket renewal

Created 7 years ago by sgallagh
Modified a month ago

Provide a way to dynamically renew user tickets. It is a convenience utility and daemon. More details: http://www.freeipa.org/page/Automatic_Ticket_Renewal

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.1

Fields changed

milestone: SSSD 1.1 => SSSD 1.2

Fields changed

milestone: SSSD 1.2 => SSSD 1.3

Per discussion during an SSSD team status meeting, we propose the following solution:

On kinit, store the ticket expiration time in the LDB.
Create a new process (ticketmonger?). At startup, it will query the LDB for users with tickets not yet expired. It will create a tevent_timer event for halfway before ticket expiration (or immediately, if more than half the time has passed)
When this event fires, ticketmonger will spawn the kerberos child and perform a ticket renewal using their previous ticket, if the backend is online.
If the backend is not online when the event fires, we will queue it for action when the backend becomes online. At that time, the expiration time will be rechecked, in case it has passed in the meantime.

We will add an SBUS method call for ticketmonger to notify the running process that a new ticket should be monitored.

owner: sbose => sgallagh

Fields changed

owner: sgallagh => jhrozek

Lowering the priority since we need to scope this issue once more taking Eugene's patches into account.

priority: major => minor


has this been implemented in the meanwhile? As expired tickets will break mounted cifs homes, too.


No, we have not yet implemented this feature. It is currently scheduled for inclusion in SSSD 1.5.0, which at the time of this writing is targeted at January of 2011.

We are aware that this is a highly-anticipated feature.

Fields changed

owner: jhrozek => sbose

Fields changed

status: new => assigned

Fixed by
- 369983d509540d8289e62675c6cf7009f964abd7
- 92ae4a7ef84f05239da1ac2eba0d7a34161da271
- 7470bb938429c7a723f5aad971cc50a805a9ead8
- c8b8901b05da9e31dba320f305ec20301e928cfb
- c7d73cf51642c7f89c1f21e54b8ce1b262bef899
- d2d23847f879712d6e191134018a8bff70a5e2ab
- 1709edfb690bb4ffa4b96c64d08853f47390eda3
- f3f9ce8024d7610439d6c70ddafab1ab025cf8a8
- 5e7f370819fbfd6b4a27b037de1a6d6009096f6e

resolution: => fixed
status: assigned => closed
tests: 0 => 1

Fields changed

rhbz: => 0

a month ago

Metadata Update from @sgallagh:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.5.0

Login to comment on this ticket.


Kerberos Provider