Hi all.

We have setup FreeIPA on a F-15 virtual machine. I'm currently testing with a F-14 client. We would like to keep F-14, as F-15 seems not generally stable enough for wide deployment (graphics issues etc.). I have described the setup a bit at http://www.niemueller.de/blog/id/245, which was possible only through numerous IRC sessions on #freeipa. This issue here seems a little more long-standing, hence the mail this time.

I'm having a hard time getting the setup running reliably. Initial login and desktop use works fine. But a typical use case is leaving the desktop running overnight with just the screen locked (there might be stuff running in the background). Now, if I return the next day and try to use the machine the machine is frozen and cannot be used. Tickets have not been renewed, in particular the one for the NFSv4 server protected by Kerbero (sec=krb5). It just expired after 24h.

The problem can be recreated quickly with a shorter 5 minute lifetime with the following modifications (on the client).

This assumes that you have /home mounted via Kerberos-protected NFSv4 share!

In /etc/sssd/sssd.conf:
krb5_renewable_lifetime = 14d
krb5_renew_interval = 60
krb5_lifetime = 5m

krb5_renewable_lifetime = 14d
krb5_renew_interval = 60
krb5_lifetime = 5m

Then reboot (just restarting sssd does not always show the problem, especially if you had been logged in before). Then login and wait five minutes, the machine freezes, as the NFS key has expired. If you do a klist just before the timeout expires, you see that the keys have not been renewed as expected (but the renewable end time is still way in the future, even if the FreeIPA server default of 7d was not increased). Maybe I need to set some magic flag for rpc.gssd, but I couldn't find it.

Is there something I can do on my side to get this working? Or is it a FreeIPA or sssd shortcoming, or even "intended not to work by design"?

Ideally, I want to make it possible for users to just keep logged in all the time, so even acquiring new tickets automatically by requesting an intermediate user authentication or just doing it from the screensaver would be great, but I guess with /home mounted I'm pretty much out of luck? Is there alternatively a way to only authenticate the host via krb5, but not the user? In the old days we would simply use IP addresses to allow access. Well, that's bad, but having just the host authenticate to prevent laptop road warriors from snooping around could be just enough for us and avoid user ticket renewal, any idea?

Thanks for your input.

KBSG - Knowledge-Based Systems Group            AllemaniACs RoboCup Team
http://robocup.rwth-aachen.de                     RWTH Aachen University
http://kbsg.rwth-aachen.de                               Ahornstrasse 55
http://www.fawkesrobotics.org                             D-52056 Aachen

Freeipa-users mailing list

Reply via email to