diff --git a/kcm/config.c b/kcm/config.c
index be4bce6af..1a2b81ceb 100644
--- a/kcm/config.c
+++ b/kcm/config.c
@@ -45,6 +45,7 @@ static char *max_request_str; /* `max_request' as a string */
int detach_from_console = -1;
int daemon_child = -1;
+int automatic_renewal = -1;
static const char *system_cache_name = NULL;
static const char *system_keytab = NULL;
@@ -93,6 +94,10 @@ static struct getargs args[] = {
"daemon-child", 0 , arg_integer, &daemon_child,
"private argument, do not use", NULL
},
+ {
+ "automatic-renewal", 0 , arg_negative_flag, &automatic_renewal,
+ "disable automatic TGT renewal", NULL
+ },
{ "help", 'h', arg_flag, &help_flag, NULL, NULL },
{
"system-principal", 'k', arg_string, &system_principal,
@@ -390,6 +395,13 @@ kcm_configure(int argc, char **argv)
krb5_err(kcm_context, 1, ret, "initializing system ccache");
}
+ if(automatic_renewal == -1)
+ automatic_renewal = krb5_config_get_bool_default(kcm_context, NULL,
+ TRUE,
+ "kcm",
+ "automatic_renewal",
+ NULL);
+
if(detach_from_console == -1)
detach_from_console = krb5_config_get_bool_default(kcm_context, NULL,
FALSE,
diff --git a/kcm/events.c b/kcm/events.c
index cbbe58ac2..8b78c10f0 100644
--- a/kcm/events.c
+++ b/kcm/events.c
@@ -220,7 +220,7 @@ kcm_ccache_make_default_event(krb5_context context,
event->fire_time = time(NULL); /* right away */
event->action = KCM_EVENT_ACQUIRE_CREDS;
} else if (is_primary_credential_p(context, ccache, newcred)) {
- if (newcred->flags.b.renewable) {
+ if (automatic_renewal && newcred->flags.b.renewable) {
event->action = KCM_EVENT_RENEW_CREDS;
ccache->flags |= KCM_FLAGS_RENEWABLE;
} else {
diff --git a/kcm/kcm_locl.h b/kcm/kcm_locl.h
index c33738497..dc0110448 100644
--- a/kcm/kcm_locl.h
+++ b/kcm/kcm_locl.h
@@ -169,6 +169,7 @@ extern sig_atomic_t exit_flag;
extern int name_constraints;
extern int detach_from_console;
extern int daemon_child;
+extern int automatic_renewal;
extern int launchd_flag;
extern int disallow_getting_krbtgt;