Everyone, My apologies for somehow managing to submit an encrypted/encoded message yesterday. I don't actually submit to lists very often and didn't realize I was encoding to the degree it did. Here's the same message again.
Hi Francis, I think with a minor change of logic this issue is rather simple with a bit of scripting and some user training. Rather than getting a new ticket after the old one expires, look for a ticket that expires within X minutes where your other renewal criteria are still met. While that original ticket is active, issue a 'kinit -R' for the user principal. Obviously if your ticket is approaching the end of it's renewable life, you have your original problem again which is where the user training comes into play. To address that I'd ensure that a) the renewal lifetime is long enough to run your longest running long job plus one day (or 3 if some long jobs are started on a Friday with no operators available for the weekend) an d b) you have users who execute these kinds of jobs get a new ticket the next work day even if, but especially if, a job is still running). That should cover almost all cases. If you can tell the difference between one of these long jobs and regular interactive activity, you can notify the use (or just flat execute kinit for them) since there are at the computer to answer any prompts for renewal. After adjusting the renewal lifetimes for user tickets, I'd create a script that does this renewal then executes all the remaining user parameters. In the script if the 'kinit -R' fails execute a regular kinit for the principal in use. Train your uses to always start their jobs with this script rather an directly invoking the jobs and they'll always be running the job in an environment where they have enough time to execute the job under a valid ticket that the user has just renewed or they'll be back to the computer before the current one expires to get a new one of the job run takes days. That should handle all the cases except one like the user starting a long job and leaving for long holiday. If you still use a system script to renew almost expired tickets with jobs running, you would even handle that case. To everyone else, thanks for all the great effort on FreeIPA. It has been a fantastic addition to my little network. Best regards, Eric
publickey -
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
