HI, All

IPA server was installed on ipaserver.dev.example.net

A user 'ads' in IPA will periodically 'rsync' files from ipaclient1 to 
ipaclient2. I found that rsync cronjobs will be failed once 'ads' kerberos 
ticket has been expired. 

I would like to renew kerberos tickets before expiration without user 
intervation, but failed. 

krb configuration: 

# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.NET
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}
 renew_lifetime = 7d

[realms]
 EXAMPLE.NET = {
  kdc = ipaserver.dev.example.net:88
  master_kdc = ipaserver.dev.example.net:88
  admin_server = ipaserver.dev.example.net:749
  default_domain = example.net
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
 .example.net = EXAMPLE.NET
 example.net = EXAMPLE.NET

[dbmodules]
  EXAMPLE.NET = {
    db_library = ipadb.so
  }

When I was trying to renew kerberos ticket from client1, error message was 
shown as :
$ kinit -R
kinit: KDC can't fulfill requested option while renewing credentials

And logs from ipa server: 
# tailf /var/log/krb5kdc.log
......
Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): TGS_REQ (6 
etypes {18 17 16 23 25 26}) 192.168.11.235: TICKET NOT RENEWABLE: authtime 0,  
a...@example.net for krbtgt/example....@example.net, KDC can't fulfill 
requested option
Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): closing down fd 
10
......

any suggestions would be appreciated. 

Best Regards

Matrix
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to