> So as long as a keytab is generated and the variable is setup, so will > FreeIPA automatically use it to fetch a new TGT when the older one expires after 7 days?
You need something to automate the process of obtaining a ticket-granting-ticket every so often. Check out kstart <https://www.eyrie.org/~eagle/software/kstart/> for this purpose. The user needs to run their job via k5start, and k5start takes on the job of obtaining and renewing a TGT while the job is running. If you can't use kstart, something else will have to keep running 'kinit -k -i' every so often. I suggest the '-i' argument because it uses a standard well-known keytab location; you only have to drop your keytab at that location & make sure the user can read it, and kinit is clever enough to figure out the principal name itself. The location is documented in the kerberos(7) man page - look for KRB5_CLIENT_KTNAME (or just run 'kinit -k -i' and it will spit out the location it's looking for in the error message). -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
