LCFG ngeneric kinit plugin

April 26, 2018

I’ve recently put a bit of work into making the LCFG ngeneric kinit environment initialisation plugin more generally useful. Prior to Kenny’s helpful tip on getting the gssapi library to do most of the work I had planned to use this plugin within the LCFG client for Kerberos authentication when fetching profiles. It can now manage the credentials cache in a similar way to k5start with renewing the credentials whenever they expire or are within a certain time before expiry. So, it’s now possible to do this from any Perl code:

use LCFG::Component::Plugin::Kinit;

my $plugin = LCFG::Component::Plugin::Kinit->new(
    params    => {
        keytab    => "/etc/lcfg/client.keytab",
        principal => 'lcfg/test.example.org@EXAMPLE.ORG',
        group     => 'lcfg',
        mode      => '0640',
    },
);
$plugin->run();

I’ve also added support for specifying the owner, group and mode of the credentials cache file (bug#1061) and improved support for controlling whether the cache file is removed automatically when the calling process ends. At the same time I have resolved a longstanding issue with calling the run method multiple times (bug#1060) which is hit for, at least, when an LCFG component restart method is used.