[SSSD-users] Re: issues with renewal of service tickets
Is the NFS kerberized? We are seeing a similar issue but on Ubuntu bionic with sssd 1.16.1 (we suspect similar behavior as far back as 1.12.5 on Ubuntu trusty). When the Kerberos ticket expires, nfs access is denied. Unable to determine why sssd is not renewing the ticket. In our case, the ticket is obtained by ssh. If you use kinit, then sssd won't renew it (because it doesn't know about it). The logs for our situation have lots of data that I cannot adequately scrub to sent offsite for help. -Original Message- From: Peter Tulpen Sent: Friday, August 16, 2019 1:15 AM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Re: issues with renewal of service tickets EXTERNAL MAIL: sssd-users-boun...@lists.fedorahosted.org The application is a self written python script, but the access is via nfs so I think the application responsible for this should be the nfsclient --- Ursprüngliche Nachricht --- Von: Sumit Bose Datum: 15.08.2019 17:26:05 An: sssd-users@lists.fedorahosted.org Betreff: [SSSD-users] Re: issues with renewal of service tickets > On Thu, Aug 15, 2019 at 03:27:27PM +0200, Peter Tulpen wrote: > > Hello, > > we have some issues with long running batch jobs on centos machines > (centos 7, > > sssd 1.16.2 ). > > After the 10 hours the service ticket runs out, we have a access denied > error, > > but the next requests work. > > We broke it down to the issue that the service ticket is not renewed > ahead of > > expiration. > > Hi, > > what kind of service/application is this? If I understand it correctly > as long as there is a valid TGT the application should just ask for a > new service ticket. > > bye, > Sumit > > > What I found was options like krb5_renewable_lifetime and > > krb5_renew_interval, > > > but they all seem to refer to TGT, not the service ticket. > > Is there a way to watch and renew service tickets as well? > > > > > > ━━━ > > > > > Versendet mit Emailn.de - Freemail > > > > * Unbegrenzt Speicherplatz > > * Eigenes Online-Büro > > * 24h besten Mailempfang > > * Spamschutz, Adressbuch > > > > > ___ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: issues with renewal of service tickets
The application is a self written python script, but the access is via nfs so I think the application responsible for this should be the nfsclient --- Ursprüngliche Nachricht --- Von: Sumit Bose Datum: 15.08.2019 17:26:05 An: sssd-users@lists.fedorahosted.org Betreff: [SSSD-users] Re: issues with renewal of service tickets > On Thu, Aug 15, 2019 at 03:27:27PM +0200, Peter Tulpen wrote: > > Hello, > > we have some issues with long running batch jobs on centos machines > (centos 7, > > sssd 1.16.2 ). > > After the 10 hours the service ticket runs out, we have a access denied > error, > > but the next requests work. > > We broke it down to the issue that the service ticket is not renewed > ahead of > > expiration. > > Hi, > > what kind of service/application is this? If I understand it correctly > as long as there is a valid TGT the application should just ask for a > new service ticket. > > bye, > Sumit > > > What I found was options like krb5_renewable_lifetime and > > krb5_renew_interval, > > > but they all seem to refer to TGT, not the service ticket. > > Is there a way to watch and renew service tickets as well? > > > > > > ━━━ > > > > > Versendet mit Emailn.de - Freemail > > > > * Unbegrenzt Speicherplatz > > * Eigenes Online-Büro > > * 24h besten Mailempfang > > * Spamschutz, Adressbuch > > > > > ___ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: issues with renewal of service tickets
On Thu, Aug 15, 2019 at 03:27:27PM +0200, Peter Tulpen wrote: > Hello, > we have some issues with long running batch jobs on centos machines (centos 7, > sssd 1.16.2 ). > After the 10 hours the service ticket runs out, we have a access denied error, > but the next requests work. > We broke it down to the issue that the service ticket is not renewed ahead of > expiration. Hi, what kind of service/application is this? If I understand it correctly as long as there is a valid TGT the application should just ask for a new service ticket. bye, Sumit > What I found was options like krb5_renewable_lifetime and krb5_renew_interval, > but they all seem to refer to TGT, not the service ticket. > Is there a way to watch and renew service tickets as well? > > > ━━━ > > Versendet mit Emailn.de - Freemail > > * Unbegrenzt Speicherplatz > * Eigenes Online-Büro > * 24h besten Mailempfang > * Spamschutz, Adressbuch > > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org