On 06-04-2022 21:39, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Hi, We have a few machines that joined a FreeIPA instance. We use NFSv4 + kerberos to mount home directories. However, if the user do not log on to the machine for more than 7 days, and he leaves a job executing and that writes to some file on his home directory, the cpu usage of the machine goes up to the sky and the machine gets almost unusable. Is there a good strategy to fetch new TGT's when near expiration? I know some users generate a key tab (or fetch them using ipa-getkeytab) to automate a kinit, but I wonder if we could come with a system-wide solution that doesn't lead to storing key tabs around. Any tips for that?
Have you looked at SSSD's krb5_renew_interval and krb5_renewable_lifetime? On my PC I changed it to: /etc/sssd/sssd.conf [domain/example.com] ... krb5_renewable_lifetime = 60d krb5_renew_interval = 6h I don't really need it anymore because I'm now locking my PC when I go home :-). And when I get back I have to enter my password, after which there is a new TGT. -- Kees _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
