URL:
https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented:
"""
Sorry for the delay. I updated the PR to
* Use the exported krb5 marshalling credentials functions
* Build KCM renewals code conditionally, if the krb5 marshalling functions are available
then we auto-detect that and build with KCM renewals, explicit `--enable-kcm-renewal` and
`--disable-kcm-renewal` ./configure options can also be provided to override
auto-detection.
I also noticed that the responder idle timeout can shutdown KCM when renewals are
configured, so I added commit b206ba3c0340877b0e6df2e530fdb350b838ac5d to disable the
responder idle timeout when renewals code is built. Once KCM comes up with renewals
configured it will stay active.
This does not handle the case when a renewal is expected to occur after the system boots
but before any kerberos activity has occurred to socket-activate KCM. I don't know if
this is a valid case we need to handle, it seems unlikely to me but @sumit-bose suggested
we could install a .timer file for sssd-kcm.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/5450#issuecomment-777779438