On Wed, Dec 16, 2020 at 03:31:27PM +0100, Kees Bakker via FreeIPA-users wrote: > On 16-12-2020 14:59, François Cami wrote: > > On Wed, Dec 16, 2020 at 2:53 PM Kees Bakker <[email protected] > > <mailto:[email protected]>> wrote: > > > > Thanks for the pointer. A bit old, but probably still relevant. > > > > Anyway, I was thinking that the following may be the cause of > > my observation. I'm now working from home (as many will recognize). > > My setup is a X2GO connection to the office. The session is kept alive > > all the time and without a screenlock in that X2GO session. > > > > Before I was working in the office, and there I had a screenlock as soon > > as I left my desk. I'm guessing that the TGT was renewed or newly > > created > > when I unlocked the screen. If that is the case then I never noticed an > > expired TGT.
Hi, yes, whenever you type your password to unlock the screen and SSSD is online a new TGT is requested. > > > > It's just a wild guess. > > > > In the mean time I'm going to figure out what the configuration should > > be > > to not run into an expired TGT all the time. Of course we have a FreeIPA > > flavor of it all. In my case: Centos7 for the masters, and Ubuntu for > > the > > clients. > > > > > > Look at the client's configuration: > > https://linux.die.net/man/5/sssd-krb5 > > krb5_store_password_if_offline > > krb5_renewable_lifetime > > krb5_renew_interval > > > > In /etc/sssd/sssd.conf I now have: > Â krb5_renewable_lifetime = 60d > Â krb5_renew_interval = 6h > > The ipa client install already placed krb5_store_password_if_offline=True in > there. > > In /etc/krb5.conf in the [libdefaults] section I have: > Â ticket_lifetime = 24h > Â default_ccache_name = KEYRING:persistent:%{uid} using KEYRING might currently be an issue becasue of https://bugzilla.redhat.com/show_bug.cgi?id=1722126, SSSD currently only refreshes FILE type ccaches. bye, Sumit > > On the clients I now see a TGT with flags FRIA. Great. It seems that my server > only allows max 7 days. > > Â Â Â renew until 23-12-20 15:18:42, Flags: FRIA > > Let's see if this is sufficient. > -- > Kees > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
