long running kadm5 client
- From: Chris Hecker <checker@xxxxxx>
- Date: Fri, 03 Feb 2012 18:50:42 -0800
I have a daemon that opens a kadm5 connection while it's root and then
drops to nobody. The problem is if the connection dies, then I'm not
sure how to "refresh" the kadm5 connection.
The connection dies for two reasons. First, it will eventually time out
with this in kadmind.log:
(Error): check_rpcsec_auth: failed inquire_context, stat=786432
(Notice): Authentication attempt failed: 220.127.116.11, GSS-API error strings are:
(Notice): The referenced context has expired
(Notice): Unknown error
(Notice): GSS-API error strings complete.
(Error): Authentication attempt failed: 18.104.22.168, RPC authentication flavor 6
Or, if kadmind gets restarted but the daemon doesn't (after kadmind)
then the old connection is stale and fails.
In both of these cases, the apis start returning KADM5_RPC_ERROR,
"Communication failure with server".
My first inclination here is to read the keytab entry I need into a
MEMORY keytab, so it'll be around after I drop privileges, and then
occasionally ping kadmind at the top of the main wait loop to see if the
connection has died, and try to reconnect. The problem is, looking
through the kadm5 API, I wasn't sure what the best way to ping is
without making the server to a bunch of work (like get_principal). It
looks like kadm5_get_privs just does a round trip to get the 32 bit int
~0, which seems good, but is that a reliable way to do this? It "seems
to work" in my testing...
Or, is there a better way to do what I want to do? This daemon is a
server that creates ldap+krb5 accounts for a web signup system and it
needs to run "forever".
- Prev by Date: Re: can't unlock xscreensaver
- Next by Date: Re: long running kadm5 client
- Previous by thread: version krb5support_0_MIT not defined
- Next by thread: Re: long running kadm5 client