Thanks, that solve my concern!
On Thu, Nov 20, 2014 at 5:35 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Thu, Nov 20, 2014 at 05:19:57PM +0800, Thomas Lau wrote:
> > What will happen if laptop haven't turn on for a long time and ticket
> > expired with cache and store password enabled? Does user unable to login
> > after expired?
> SSSD doesn't use the ticket to authenticate in offline case, so sssd
> doesn't really care the ticket expired.
> Rather, when cache_credentials is enabled, we store a hash of the user's
> password in the cache and if offline, compare what the user entered
> with the stored hash.
> By default, the cache password hash never expires, unless you configure
> sssd to do so with offline_credentials_expiration
> > On Thu, Nov 20, 2014 at 5:10 PM, Jakub Hrozek <jhro...@redhat.com>
> > > On Thu, Nov 20, 2014 at 05:04:02PM +0800, Thomas Lau wrote:
> > > > Does anyone know what's the behavior look like if a mobile user
> > > > being disconnected from Kerberos for too long even cache is enabled
> > > > default in our environment?
> > >
> > > SSSD caches the user data and if cache_credentials is enabled, then
> > > a salted password hash to enable offline logins.
> > >
> > > Your TGT will eventually expire, but that hardly matters since you're
> > > offline. When you reconnect to the network, you can either run kinit
> > > manually, or for better user experience enable
> > > krb5_store_password_if_offline
> > > to keep your password in the kernel keyring and let sssd kinit on your
> > > behalf when it detects you've gone online again.
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go To http://freeipa.org for more info on the project
> > >
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project