Hi all.
We have setup FreeIPA on a F-15 virtual machine. I'm currently testing
with a F-14 client. We would like to keep F-14, as F-15 seems not
generally stable enough for wide deployment (graphics issues etc.). I
have described the setup a bit at http://www.niemueller.de/blog/id/245,
which was possible only through numerous IRC sessions on #freeipa. This
issue here seems a little more long-standing, hence the mail this time.
I'm having a hard time getting the setup running reliably. Initial login
and desktop use works fine. But a typical use case is leaving the
desktop running overnight with just the screen locked (there might be
stuff running in the background). Now, if I return the next day and try
to use the machine the machine is frozen and cannot be used. Tickets
have not been renewed, in particular the one for the NFSv4 server
protected by Kerbero (sec=krb5). It just expired after 24h.
The problem can be recreated quickly with a shorter 5 minute lifetime
with the following modifications (on the client).
This assumes that you have /home mounted via Kerberos-protected NFSv4 share!
In /etc/sssd/sssd.conf:
[domain/somedomain]
krb5_renewable_lifetime = 14d
krb5_renew_interval = 60
krb5_lifetime = 5m
[domain/default]
krb5_renewable_lifetime = 14d
krb5_renew_interval = 60
krb5_lifetime = 5m
Then reboot (just restarting sssd does not always show the problem,
especially if you had been logged in before).
Then login and wait five minutes, the machine freezes, as the NFS key
has expired. If you do a klist just before the timeout expires, you see
that the keys have not been renewed as expected (but the renewable end
time is still way in the future, even if the FreeIPA server default of
7d was not increased). Maybe I need to set some magic flag for rpc.gssd,
but I couldn't find it.
Is there something I can do on my side to get this working? Or is it a
FreeIPA or sssd shortcoming, or even "intended not to work by design"?
Ideally, I want to make it possible for users to just keep logged in all
the time, so even acquiring new tickets automatically by requesting an
intermediate user authentication or just doing it from the screensaver
would be great, but I guess with /home mounted I'm pretty much out of
luck? Is there alternatively a way to only authenticate the host via
krb5, but not the user? In the old days we would simply use IP addresses
to allow access. Well, that's bad, but having just the host authenticate
to prevent laptop road warriors from snooping around could be just
enough for us and avoid user ticket renewal, any idea?
Thanks for your input.
Tim
--
KBSG - Knowledge-Based Systems Group AllemaniACs RoboCup Team
========================================================================
http://robocup.rwth-aachen.de RWTH Aachen University
http://kbsg.rwth-aachen.de Ahornstrasse 55
http://www.fawkesrobotics.org D-52056 Aachen
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
