URL:
https://github.com/SSSD/sssd/pull/5450
Title: #5450: kcm: add support for kerberos tgt renewals
justin-stephenson commented:
"""
Ah, I missed the last patch: `KCM: Disable responder idle timeout
with renewals`. So it will work correclty. But I wonder if it would be better to keep the
idle timeout enabled. What we could do is to make systemd timer send a SSSD-specific KCM
op code periodically and renew the tickets per-request. This would also simplify the logic
by a lot since you would not have to keep the hash table and timers.
I'm fine with this approach, but if the systemd timer file is installed conditionally
at build time(if KCM renewals are built), then what interval value, i.e. amount of time
that KCM wakes up to attempt renewals, should we set in the systemd timer file? Currently
the renew interval is defined with the `krb5_renew_interval` option in sssd.conf. This is
an important consideration because if the renewal interval is too high then we could miss
renewing tickets that have already expired, too low and it may add unnecessary KCM load.
I suppose the other side effect is that falllback to `auth_provider=krb5` renew config
options would no longer work.
"""
See the full comment at
https://github.com/SSSD/sssd/pull/5450#issuecomment-799506171