kerberos keyring ccache

Luke Howard lukeh at
Tue Jan 24 01:21:07 GMT 2006

>IIRC on OS/2 a daemon in userspace started trying to refresh Kerberos 
>service tickets needed by the
>network filesystem client well before they expired (perhaps starting at 
>1/2 ticket expiration time).

Right, this is the way to go:

| From: Alexandra Ellwood <lxs at MIT.EDU>
| Subject: Re: Thoughts on long-lived credentials
| To: lukeh at
| Cc: kerberos at MIT.EDU, kwc at, geert.jansen at
| Date: Thu, 19 Jan 2006 12:59:15 -0500
| on Mac OS X has auto-renewed tickets for a while now.
| It waits until the tickets are more than 1/2 expired and then tries
| to renew them.  If the machine is off the network, it halves the time
| left and sets a timer to try again at that time (with a minimum time
| between tries to avoid going crazy just before the tickets expire).
| It also detects wake from sleep and if the tickets are more than 1/2
| expired on wake it will try immediately.  This algorithm works well
| on laptops using Kerberos as well as desktops.

>context - typically achieved by encapsulating Kerberos tickets (or even 
>in the old days an NTLM password) via SPNEGO (IIRC this is basically RFC 2478
>but opaque to my code if user space utilities such as the misnamed "ntlm_auth"
>utility or equivalent hide this) but in theory this could be something other 
>than Kerberos, perhaps x509 even though not seen often in the wild yet.

NFSv4 supports SPKM, LIPKEY -- not sure if anyone is actually shipping
implementations yet.

SPNEGO and mechglue is very useful here. I think the only OS vendor that
is really shipping working code here is Sun in Solaris 10. The Linux
NFSv4 GSS implementation has mechglue but this should really be in the
base OS... 

-- Luke


More information about the samba-technical mailing list