On 10/13/2016 09:34 PM, Kevin Fenzi wrote: >>> * If we are not completely retiring the koji CA, are we replacing >>> it? >> If not retired it has to be replaced, could be certs from freeipa >> that auto renew with certmonger, which i suspect users would like >> better than entering their kerberos password once a day. > > well, we can adjust the kerberos settings. If they can renew for a week > would that be sufficent? Couldn't users simply generate keytab for themselves? Koji client supports keytabs directly (via setting in koji.conf or --keytab param), for other services it should be possible to run "kinit -k" (which can even be ran from startup stripts, cron etc.) -- Mikolaj Izdebski IRC: mizdebsk _______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
