[Freeipa-users] Re: Strategy to renew TGT - any thoughts?

Thu, 07 Apr 2022 07:06:38 -0700 


---
Francis Augusto Medeiros-Logeay
Oslo, Norway

On 2022-04-07 12:03, Ronald Wimmer via FreeIPA-users wrote:

On 06.04.22 21:39, Francis Augusto Medeiros-Logeay via FreeIPA-users 
wrote:

Hi,



We have a few machines that joined a FreeIPA instance. We use NFSv4 + 
kerberos to mount home directories.



However, if the user do not log on to the machine for more than 7 
days, and he leaves a job executing and that writes to some file on 
his home directory, the cpu usage of the machine goes up to the sky 
and the machine gets almost unusable.



Is there a good strategy to fetch new TGT's when near expiration? I 
know some users generate a key tab (or fetch them using ipa-getkeytab) 
to automate a kinit, but I wonder if we could come with a system-wide 
solution that doesn't lead to storing key tabs around.


Any tips for that?


One way could be

ipa-getkeytab -s ipaserver.somedomain.com -p
someipau...@somedomain.com -P -k ./someipauser.keytab
export KRB5_CLIENT_KTNAME /some/path/to/someipauser.keytab


Thanks Ronald.

So as long as a keytab is generated and the variable is setup, so will 
FreeIPA automatically use it to fetch a new TGT when the older one 
expires after 7 days?


Best,

Francis


Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org

To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org

Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure














    

  • [Freeipa-users] Strategy... Francis Augusto Medeiros-Logeay via FreeIPA-users
    • 

    • 

    • [Freeipa-users] Re:... Ronald Wimmer via FreeIPA-users
      • 

      • 

      • [Freeipa-users]... Francis Augusto Medeiros-Logeay via FreeIPA-users
        • 

        • 

        • [Freeipa-us... Sam Morris via FreeIPA-users
          • 

          • 

          • [Freeip... Francis Augusto Medeiros-Logeay via FreeIPA-users
            • 

            • 

            • [F... Alexander Bokovoy via FreeIPA-users
              • 

              • 

              • ... Francis Augusto Medeiros-Logeay via FreeIPA-users
                • 

                • 

                • ... Jim Kinney via FreeIPA-users
                  • 

                • ... Charles Hedrick via FreeIPA-users
                  • 

                • ... Francis Augusto Medeiros-Logeay via FreeIPA-users
                  • 

                • ... Charles Hedrick via FreeIPA-users
                  • 

                • ... Francis Augusto Medeiros-Logeay via FreeIPA-users
                  • 

                • 

              • ... Francis Augusto Medeiros-Logeay via FreeIPA-users
                • 

              

            

          

        

      

    










					Reply via email to