I like this much better than -K implying to constantly fetch new tickets. On one host it may be ok to change the -K behaviour; but if you are running k5start on thousands or ten thousands of hosts, the multiplying factor cannot be neglected. It may also be very intentional to only refresh the ticket once a day but check regularly that it didn't get lost by accident.
If the behaviour is changing and k5start refresh the ticket more regularly, then the updating of the CC must always be atomic. If I remember correctly, this is right now only the case if -o, -g or -m are specified. - mo -----Original Message----- From: kerberos-boun...@mit.edu [mailto:kerberos-boun...@mit.edu] On Behalf Of Nico Williams Sent: 17 January 2014 00:02 To: Russ Allbery Cc: kerberos@mit.edu Subject: Re: k5start -K and ticket renewals Ideally the auto-renewal wake-up timer should be automatically set from the TGT's lifetime (and libkrb5 should automatically handle any faster expiration of non-initial tickets). Then -K shouldn't be needed. The hard part is how to handle transient renewal errors, particularly when the ticket's original lifetime was short (but renew lifetime long). Nico -- ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos Visit our website at http://www.ubs.com This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mails are not encrypted and cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as a solicitation or offer to buy or sell any securities or related financial instruments. UBS Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. UBS AG is a public company incorporated with limited liability in Switzerland domiciled in the Canton of Basel-City and the Canton of Zurich respectively registered at the Commercial Registry offices in those Cantons with Identification No: CH-270.3.004.646-4 and having respective head offices at Aeschenvorstadt 1, 4051 Basel and Bahnhofstrasse 45, 8001 Zurich, Switzerland and is authorised and regulated by the Financial Market Supervisory Authority in Switzerland. Registered in the United Kingdom as a foreign company with No: FC021146 and having a UK Establishment registered at Companies House, Cardiff, with No: BR 004507. The principal office of UK Establishment: 1 Finsbury Avenue, London EC2M 2PP. In the United Kingdom, UBS AG is authorised by the Prudential Regulation Authority and subject to regulation by the Financial Conduct Authority and limited regulation by the Prudential Regulation Authority. Details about the extent of our regulation by the Prudential Regulation Authority are available from us on request. UBS reserves the right to retain all messages. Messages are protected and accessed only in legally justified cases. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos