|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
From: Russ Allbery <rra@stanford.edu> To: Holger Rauch <holger.rauch@empic.de> In-Reply-To: <20100831130729.GA12741@heitec.de> (Holger Rauch's message of "Tue, 31 Aug 2010 15:07:29 +0200") Date: Tue, 31 Aug 2010 12:50:07 -0700 Message-ID: <87k4n6o93k.fsf@windlord.stanford.edu> MIME-Version: 1.0 Cc: kerberos@mit.edu Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kerberos-bounces@mit.edu Holger Rauch <holger.rauch@empic.de> writes: > My questions: > - When using k5start in this way, should only host principals be used > or should it also work with user principals? It will work with user principals, although of course you'll have to generate a keytab. What we tend to do at Stanford is create principals in the service/* namespace where the bit after the slash is the name of the application. > - What maximum ticket lifetime is assumed/recommended for the used > principal(s) so that this particular approach works as expected? > (By "as expected" I mean that Apache runs possibly indefinitely > (provided that the Apache process doesn't dump core :-) ), > i.e. without having to be restarted manually just in order > to obtain a new, "fresh" Kerberos ticket for the corresponding > principal). It shouldn't matter, since whatever lifetime you pick will control how often k5start wakes up and renews the ticket. We usually use settings of -l 10h -K 30, which uses a 10 hour ticket lifetime and wakes up every thirty minutes, but anything reasonable should be fine as long as the ticket lifetime is equal to or less than your maximum ticket lifetime. -- Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |