Hello David/Lukas Thank you for your assistance so far. I still have the problem and not even sure what to look at next. We are still seeing key expiry error from NFS even after the proposed changes.
[william@silicon ~]$ ssh iron Last login: Wed Mar 1 19:26:56 2017 from silicon.eng.example.com Could not chdir to home directory /home/william: Key has expired [william@iron /]$ [rtdamgr@silicon ~]$ ssh manganese Last login: Wed Mar 1 19:26:57 2017 from silicon.eng.example.com Could not chdir to home directory /home/william: Permission denied [william@manganese /]$ [william@silicon ~]$ ssh iron Last login: Wed Mar 1 19:58:36 2017 from manganese.eng.example.com DISPLAY is manganese:2 [william@iron ~]$ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_800 These are the changes that I currently have on my sssd.conf [domain/eng.example.com] krb5_realm = ENG.EXAMPLE.COM krb5_server = hydrogen.eng.example.com auth_provider = krb5 krb5_renewable_lifetime = 50d krb5_renew_interval = 3600 cache_credentials = True krb5_store_password_if_offline = True According to this article, this change would ensure that the system auto renew the keys for the next 50 days. Why would this key expiry still show up? http://people.redhat.com/steved/Summits/Summit13/Summit_Handout13.pdf One side question, that is the difference between "auth_provider = krb5" and "auth_provider = ipa"? In another word, what is expected different between the two as far as IPA usage is concerned and what would make one choose one over the other? Regards, William On 17 February 2017 at 09:56, Lukas Slebodnik <[email protected]> wrote: > On (16/02/17 18:05), William Muriithi wrote: >>> The fact that your desktops are using SSSD changes the situation >>> dramatically. >>> >>> SSSD (with ipa or krb5 provider) obtains ticket for user when he is >>> logging-in. >>> And can be configured to renew the ticket for the user until the ticket >>> renew >>> life time expires. >>> >>> Given this you can keep ticket life time reasonable short (~1 day) set >>> ticket >>> renewable life time to longer period (~2 weeks) and maintain reasonable >>> security level without negative impact on user's daily work. >>> >>> Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options >>> in sssd-krb5 man page. >>> >>Thanks a lot. I did actually end up using this. Will wait for a >>couple of days and see if anybody if the situation is better and >>update you. >> >>Curious though, why isn't renewal interval setup by default? Is there >>a negative consequence of having SSSD renewing tickets by default? I >>can't think of any and hence a bit lost on explaining the default >>setup > > Desktop/laptop user usually does not need automatic renewal. > They authenticate/login/unlock screen quite often and for each > action sssd authenticate against IPA server which automatically get/renew > krb5 ticket. Unless machine is offline. > > LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
