On Mon, Nov 15, 2010 at 11:48:03PM -0500, Simo Sorce wrote:
> On Mon, 15 Nov 2010 14:49:52 +0100
> Sumit Bose <sb...@redhat.com> wrote:
>
> > Hi,
> >
> > this series for patches add support for automatic Kerberos ticket
> > renewal, see also trac ticket #369.
> >
> > There are several things I like to discuss:
> > - in the ticket a separate process which should handle the renewal was
> > mentioned. Currently the patches just create a timed task in the
> > krb5 provider because I think most of the typically uses cases do not
> > justify to overhead we create with a separate process. But I'm open
> > for other arguments.
>
> Good choice. Let's not have more processes around than needed .
>
> > - I have added option to request TGT with a specific lifetime/renewal
> > time. The corresponding option in krb5.conf have a trailing letter
> > indicating the time unit. I have copied this behaviour to help
> > migrations although we typically use only seconds without a unit in
> > sssd.conf. Is this a good idea or shall I change it to seconds or do
> > we want to support both formats.
>
> Probably defaulting to seconds if no unit is given but also supporting
> a unit specifier is a good idea. I'd support both.
ok, thanks for the comments. A patch which adds handles the missing unit
is attached.
bye,
Sumit
>
> > - Currently everything is held in RAM and after a restart nothing is
> > renewed automatically. I plan to send a new patch which checks all
> > ccfiles we have in the cache and if renewal is possible it adds them
> > to the list at startup. I think this approach makes more sense than
> > writing the list of renewable ticket to disk. Do you agree?
>
> A re-scan is a good idea, if the ccache is gone for some reason
> (root reformatted /tmp during the outage for example) having a stale
> list on disk just begs for a re-scan anyway.
>
> Simo.
> _______________________________________________
> sssd-devel mailing list
> sssd-devel@lists.fedorahosted.org
> https://fedorahosted.org/mailman/listinfo/sssd-devel
From 33000b240cc75ea5cc8337b9c59c1695e9143e2c Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Thu, 18 Nov 2010 17:40:57 +0100
Subject: [PATCH 9/9] Allow krb5 lifetime values without a unit
---
src/man/sssd-krb5.5.xml | 8 +++
src/providers/krb5/krb5_common.c | 100 ++++++++++++++++++++++++-------------
2 files changed, 73 insertions(+), 35 deletions(-)
diff --git a/src/man/sssd-krb5.5.xml b/src/man/sssd-krb5.5.xml
index 34a1c72..ef77799 100644
--- a/src/man/sssd-krb5.5.xml
+++ b/src/man/sssd-krb5.5.xml
@@ -284,6 +284,10 @@
<emphasis>d</emphasis> days.
</para>
<para>
+ If there is no delimiter <emphasis>s</emphasis> is
+ assumed.
+ </para>
+ <para>
Please note that it is not possilbe to mix units.
If you want to set the renewable lifetime to one
and a half hour please use '90m' instead of
'1h30m'.
@@ -315,6 +319,10 @@
<emphasis>d</emphasis> days.
</para>
<para>
+ If there is no delimiter <emphasis>s</emphasis> is
+ assumed.
+ </para>
+ <para>
Please note that it is not possilbe to mix units.
If you want to set the lifetime to one and a half
hour please use '90m' instead of '1h30m'.
diff --git a/src/providers/krb5/krb5_common.c b/src/providers/krb5/krb5_common.c
index 0a4ebbf..33a45a1 100644
--- a/src/providers/krb5/krb5_common.c
+++ b/src/providers/krb5/krb5_common.c
@@ -46,6 +46,59 @@ struct dp_option default_krb5_opts[] = {
{ "krb5_renew_interval", DP_OPT_NUMBER, NULL_NUMBER, NULL_NUMBER }
};
+errno_t check_and_export_lifetime(struct dp_option *opts, const int opt_id,
+ const char *env_name)
+{
+ int ret;
+ char *str;
+ krb5_deltat lifetime;
+ bool free_str = false;
+
+ str = dp_opt_get_string(opts, opt_id);
+ if (str == NULL) {
+ DEBUG(5, ("No lifetime configured.\n"));
+ return EOK;
+ }
+
+ if (isdigit(str[strlen(str)])) {
+ str = talloc_asprintf(opts, "%ss", str);
+ if (str == NULL) {
+ DEBUG(1, ("talloc_asprintf failed\n"));
+ return ENOMEM;
+ }
+ free_str = true;
+
+ ret = dp_opt_set_string(opts, opt_id, str);
+ if (ret != EOK) {
+ DEBUG(1, ("dp_opt_set_string failed\n"));
+ goto done;
+ }
+ }
+
+ ret = krb5_string_to_deltat(str, &lifetime);
+ if (ret != 0) {
+ DEBUG(1, ("Invalid value [%s] for a lifetime.\n", str));
+ ret = EINVAL;
+ goto done;
+ }
+
+ ret = setenv(env_name, str, 1);
+ if (ret != EOK) {
+ DEBUG(2, ("setenv [%s] failed.\n", env_name));
+ goto done;
+ }
+
+ ret = EOK;
+
+done:
+ if (free_str) {
+ talloc_free(str);
+ }
+
+ return ret;
+}
+
+
errno_t check_and_export_options(struct dp_option *opts,
struct sss_domain_info *dom)
{
@@ -53,7 +106,6 @@ errno_t check_and_export_options(struct dp_option *opts,
const char *realm;
const char *dummy;
char *str;
- krb5_deltat lifetime;
realm = dp_opt_get_cstring(opts, KRB5_REALM);
if (realm == NULL) {
@@ -71,42 +123,20 @@ errno_t check_and_export_options(struct dp_option *opts,
SSSD_KRB5_REALM));
}
- str = dp_opt_get_string(opts, KRB5_RENEWABLE_LIFETIME);
- if (str == NULL) {
- DEBUG(5, ("No renewable lifetime configured.\n"));
- } else {
- ret = krb5_string_to_deltat(str, &lifetime);
- if (ret != 0) {
- DEBUG(1, ("Invalid value [%s] for krb5_renewable_lifetime.\n",
- str));
- return EINVAL;
- }
-
- ret = setenv(SSSD_KRB5_RENEWABLE_LIFETIME, str, 1);
- if (ret != EOK) {
- DEBUG(2, ("setenv [%s] failed.\n",
- SSSD_KRB5_RENEWABLE_LIFETIME));
- return ret;
- }
+ ret = check_and_export_lifetime(opts, KRB5_RENEWABLE_LIFETIME,
+ SSSD_KRB5_RENEWABLE_LIFETIME);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to check value of krb5_renewable_lifetime.
[%d][%s]\n",
+ ret, strerror(ret)));
+ return ret;
}
- str = dp_opt_get_string(opts, KRB5_LIFETIME);
- if (str == NULL) {
- DEBUG(5, ("No TGT lifetime configured.\n"));
- } else {
- ret = krb5_string_to_deltat(str, &lifetime);
- if (ret != 0) {
- DEBUG(1, ("Invalid value [%s] for krb5_lifetime.\n",
- str));
- return EINVAL;
- }
-
- ret = setenv(SSSD_KRB5_LIFETIME, str, 1);
- if (ret != EOK) {
- DEBUG(2, ("setenv [%s] failed.\n",
- SSSD_KRB5_LIFETIME));
- return ret;
- }
+ ret = check_and_export_lifetime(opts, KRB5_LIFETIME,
+ SSSD_KRB5_LIFETIME);
+ if (ret != EOK) {
+ DEBUG(1, ("Failed to check value of krb5_lifetime. [%d][%s]\n",
+ ret, strerror(ret)));
+ return ret;
}
dummy = dp_opt_get_cstring(opts, KRB5_KDC);
--
1.7.3.2
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
