I have a daemon that opens a kadm5 connection while it's root and then drops to nobody. The problem is if the connection dies, then I'm not sure how to "refresh" the kadm5 connection.
The connection dies for two reasons. First, it will eventually time out with this in kadmind.log: (Error): check_rpcsec_auth: failed inquire_context, stat=786432 (Notice): Authentication attempt failed: 1.2.3.4, GSS-API error strings are: (Notice): The referenced context has expired (Notice): Unknown error (Notice): GSS-API error strings complete. (Error): Authentication attempt failed: 1.2.3.4, RPC authentication flavor 6 Or, if kadmind gets restarted but the daemon doesn't (after kadmind) then the old connection is stale and fails. In both of these cases, the apis start returning KADM5_RPC_ERROR, "Communication failure with server". My first inclination here is to read the keytab entry I need into a MEMORY keytab, so it'll be around after I drop privileges, and then occasionally ping kadmind at the top of the main wait loop to see if the connection has died, and try to reconnect. The problem is, looking through the kadm5 API, I wasn't sure what the best way to ping is without making the server to a bunch of work (like get_principal). It looks like kadm5_get_privs just does a round trip to get the 32 bit int ~0, which seems good, but is that a reliable way to do this? It "seems to work" in my testing... Or, is there a better way to do what I want to do? This daemon is a server that creates ldap+krb5 accounts for a web signup system and it needs to run "forever". Thanks, Chris ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
