Thanks, that solve my concern! On Thu, Nov 20, 2014 at 5:35 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
> On Thu, Nov 20, 2014 at 05:19:57PM +0800, Thomas Lau wrote: > > What will happen if laptop haven't turn on for a long time and ticket > > expired with cache and store password enabled? Does user unable to login > > after expired? > > SSSD doesn't use the ticket to authenticate in offline case, so sssd > doesn't really care the ticket expired. > > Rather, when cache_credentials is enabled, we store a hash of the user's > password in the cache and if offline, compare what the user entered > with the stored hash. > > By default, the cache password hash never expires, unless you configure > sssd to do so with offline_credentials_expiration > > > > > > On Thu, Nov 20, 2014 at 5:10 PM, Jakub Hrozek <jhro...@redhat.com> > wrote: > > > > > On Thu, Nov 20, 2014 at 05:04:02PM +0800, Thomas Lau wrote: > > > > Does anyone know what's the behavior look like if a mobile user > (laptop) > > > > being disconnected from Kerberos for too long even cache is enabled > by > > > > default in our environment? > > > > > > SSSD caches the user data and if cache_credentials is enabled, then > also > > > a salted password hash to enable offline logins. > > > > > > Your TGT will eventually expire, but that hardly matters since you're > > > offline. When you reconnect to the network, you can either run kinit > > > manually, or for better user experience enable > > > krb5_store_password_if_offline > > > to keep your password in the kernel keyring and let sssd kinit on your > > > behalf when it detects you've gone online again. > > > > > > -- > > > Manage your subscription for the Freeipa-users mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > Go To http://freeipa.org for more info on the project > > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project