On 16-12-2020 14:59, François Cami wrote:
> On Wed, Dec 16, 2020 at 2:53 PM Kees Bakker <[email protected]
> <mailto:[email protected]>> wrote:
>
> Thanks for the pointer. A bit old, but probably still relevant.
>
> Anyway, I was thinking that the following may be the cause of
> my observation. I'm now working from home (as many will recognize).
> My setup is a X2GO connection to the office. The session is kept alive
> all the time and without a screenlock in that X2GO session.
>
> Before I was working in the office, and there I had a screenlock as soon
> as I left my desk. I'm guessing that the TGT was renewed or newly created
> when I unlocked the screen. If that is the case then I never noticed an
> expired TGT.
>
> It's just a wild guess.
>
> In the mean time I'm going to figure out what the configuration should be
> to not run into an expired TGT all the time. Of course we have a FreeIPA
> flavor of it all. In my case: Centos7 for the masters, and Ubuntu for the
> clients.
>
>
> Look at the client's configuration:
> https://linux.die.net/man/5/sssd-krb5
> krb5_store_password_if_offline
> krb5_renewable_lifetime
> krb5_renew_interval
>
In /etc/sssd/sssd.conf I now have:
krb5_renewable_lifetime = 60d
krb5_renew_interval = 6h
The ipa client install already placed krb5_store_password_if_offline=True in
there.
In /etc/krb5.conf in the [libdefaults] section I have:
ticket_lifetime = 24h
default_ccache_name = KEYRING:persistent:%{uid}
On the clients I now see a TGT with flags FRIA. Great. It seems that my server
only allows max 7 days.
renew until 23-12-20 15:18:42, Flags: FRIA
Let's see if this is sufficient.
--
Kees
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
