Hello David/Lukas

Thank you for your assistance so far. I still have the problem and not
even sure what to look at next.  We are still seeing key expiry error
from NFS even after the proposed changes.

[william@silicon ~]$ ssh iron
Last login: Wed Mar  1 19:26:56 2017 from silicon.eng.example.com
Could not chdir to home directory /home/william: Key has expired
[william@iron /]$

[rtdamgr@silicon ~]$ ssh manganese
Last login: Wed Mar  1 19:26:57 2017 from silicon.eng.example.com
Could not chdir to home directory /home/william: Permission denied
[william@manganese /]$

[william@silicon ~]$ ssh iron
Last login: Wed Mar  1 19:58:36 2017 from manganese.eng.example.com
DISPLAY is manganese:2
[william@iron ~]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_800

These are the changes that I currently have on my sssd.conf


krb5_realm = ENG.EXAMPLE.COM
krb5_server = hydrogen.eng.example.com
auth_provider = krb5
krb5_renewable_lifetime = 50d
krb5_renew_interval = 3600
cache_credentials = True
krb5_store_password_if_offline = True

According to this article, this change would ensure that the system
auto renew the keys for the next 50 days.  Why would this key expiry
still show up?


One side question, that is the difference between "auth_provider =
krb5" and "auth_provider = ipa"?  In another word, what is expected
different between the two as far as IPA usage is concerned and what
would make one choose one over the other?


On 17 February 2017 at 09:56, Lukas Slebodnik <lsleb...@redhat.com> wrote:
> On (16/02/17 18:05), William Muriithi wrote:
>>> The fact that your desktops are using SSSD changes the situation 
>>> dramatically.
>>> SSSD (with ipa or krb5 provider) obtains ticket for user when he is 
>>> logging-in.
>>> And can be configured to renew the ticket for the user until the ticket 
>>> renew
>>> life time expires.
>>> Given this you can keep ticket life time reasonable short (~1 day) set 
>>> ticket
>>> renewable life time to longer period (~2 weeks) and maintain reasonable
>>> security level without negative impact on user's daily work.
>>> Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options
>>> in sssd-krb5 man page.
>>Thanks a lot.  I did actually end up using this.   Will wait for a
>>couple of days and see if anybody if the situation is better and
>>update you.
>>Curious though, why isn't renewal interval setup by default?  Is there
>>a negative consequence of having SSSD renewing tickets by default?  I
>>can't think of any and hence a bit lost on explaining the default
> Desktop/laptop user usually does not need automatic renewal.
> They authenticate/login/unlock screen quite often and for each
> action sssd authenticate against IPA server which automatically get/renew
> krb5 ticket. Unless machine is offline.
> LS

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to