On 27 Mar 2008, at 20:05, Will Fiveash wrote: > On Thu, Mar 27, 2008 at 11:48:21AM +0100, Mark Phalan wrote: >> >> On Wed, 2008-03-26 at 17:31 -0500, Will Fiveash wrote: >>> On Wed, Mar 26, 2008 at 10:15:36PM +0100, Mark Phalan wrote: >>>> >>>> On 26 Mar 2008, at 18:55, Will Fiveash wrote: >>>>> On Wed, Mar 26, 2008 at 06:39:18PM +0100, Mark Phalan wrote: >>>>>> >>>>>> On Wed, 2008-03-26 at 12:15 -0500, Will Fiveash wrote: >>>>>>> On Wed, Mar 26, 2008 at 05:04:30PM +0100, Mark Phalan wrote: >>>>>>>> >>>>>>>> On Wed, 2008-03-26 at 08:57 -0700, Henry B. Hotz wrote: >>>>>>>>> Off-thread, but can ktkt_warnd be configured to auto-renew? >>>>>>>>> Warning >>>>>>>>> is nice, but better to just fix the problem. >>>>>>>> >>>>>>>> Yes, ktkt_warnd does renew. The applet is really useful when >>>>>>>> the max >>>>>>>> renew time is met and the user needs to re-authenticate. It >>>>>>>> might be >>>>>>>> useful for other things too but I see this as its primary >>>>>>>> purpose... >>>>>>> >>>>>>> Yes, an GNOME applet that visually, and optionally audibly, >>>>>>> alerts the >>>>>>> user to the need to re-authenticate and provides an input >>>>>>> window to do >>>>>>> so would be a nice refinement to the Java Desktop. >>>>>> >>>>>> I think it would also be nice if it could make use of the >>>>>> notification >>>>>> framework in GNOME, although perhaps that functionality belongs >>>>>> in >>>>>> ktkt_warnd... >>>>> >>>>> Understood. My intention was to describe the general idea of >>>>> what we >>>>> are looking for in terms of a GNOME friendly app to help users >>>>> stay on >>>>> top of krb cred expiration and acquisition. In regards to the >>>>> specifics, it does seem reasonable to modify ktkt_warnd to >>>>> provide this >>>>> since it's already monitoring and renewing the krb cred. How >>>>> would this >>>>> change ktkt_warnd? Would there be one multithreaded ktkt_warnd >>>>> to do >>>>> this or would the model change with a ktkt_warnd started for >>>>> each user's >>>>> login session? Also, how would this work in regards to a user's >>>>> remote >>>>> sessions? >>>> >>>> >>>> I'm not really sure how it would work. I need to take a look at how >>>> notfication works with GNOME. When I get some time I'll take a >>>> look and get >>>> back to the list with more info. >>>> >>>>> Can the remote ktkt_warnd display a dialog window on the >>>>> user's current desktop session? >>>> >>>> The GNOME notification supports a type of bubble-window which >>>> pops up in >>>> the user's panel. With the current Nevada release I've only seen >>>> Evolution >>>> (new mail notification) and Rhythmbox (song change notification) >>>> using it. >>> >>> My point is there are two scenarios (assuming the user has a JDS >>> session): >>> >>> 1. A user's local cred is expiring >>> 2. A user's remote cred is expiring >>> >>> Can ktkt_warnd be used to warn and provide a kinit interface back >>> to the >>> user's desktop in both scenarios? >> >> I'm not sure I totally understand what you're asking. By remote >> cred do >> you mean a TGT sitting on some other machine (not the users Desktop)? > > Yes. > >> Perhaps that TGT was forwarded via ssh or obtained via pam_krb5. > > Yes. > >> I believe the current behaviour is that ktkt_warnd will refresh local >> creds only. In the scenario where there are TGTs on multiple machines >> there will be multiple ktkt_warnds running. They won't be interacting >> with each other. If ktkt_warnd is using mail to notify users then (I >> assume) they'll recieve the notification on their desktop (via their >> mail client). >> Are you asking if something similar can be done with the GNOME >> applet? >> That somehow the remote ktkt_warnd's could notify the user's Desktop >> session? > > Yes.
Well, thats an interesting question. I certainly would be a useful feature. We should take this into account when/if we ever decide to ship something. -M
