Matrix wrote:
HI, All

IPA server was installed on ipaserver.dev.example.net

A user 'ads' in IPA will periodically 'rsync' files from ipaclient1 to
ipaclient2. I found that rsync cronjobs will be failed once 'ads'
kerberos ticket has been expired.

I would like to renew kerberos tickets before expiration without user
intervation, but failed.

krb configuration:

# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = EXAMPLE.NET
  dns_lookup_realm = false
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes
  udp_preference_limit = 0
  default_ccache_name = KEYRING:persistent:%{uid}
  renew_lifetime = 7d

[realms]
  EXAMPLE.NET = {
   kdc = ipaserver.dev.example.net:88
   master_kdc = ipaserver.dev.example.net:88
   admin_server = ipaserver.dev.example.net:749
   default_domain = example.net
   pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
  .example.net = EXAMPLE.NET
  example.net = EXAMPLE.NET

[dbmodules]
   EXAMPLE.NET = {
     db_library = ipadb.so
   }

When I was trying to renew kerberos ticket from client1, error message
was shown as :
$ kinit -R
kinit: KDC can't fulfill requested option while renewing credentials

And logs from ipa server:
# tailf /var/log/krb5kdc.log
......
Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): TGS_REQ
(6 etypes {18 17 16 23 25 26}) 192.168.11.235: TICKET NOT RENEWABLE:
authtime 0,  a...@example.net for krbtgt/example....@example.net, KDC
can't fulfill requested option
Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): closing
down fd 10
......

any suggestions would be appreciated.


Please see the list archives, for example https://www.redhat.com/archives/freeipa-users/2016-June/msg00176.html

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to