On 11/30/2012 10:09 AM, Longina Przybyszewska wrote: > > This is a good question. > > > > Is it wrong? > > > > Computer should always have valid TGT . > > What happens if computer’s TGT expires – or rather , if it expires > does user still have access to all services? > > > > Do I need some tuning in config to prevent that? > > > > I catched in ldap_child.log precise change from preauthentication > successàpreauthentication faile > > > > ls –l /etc/krb5.keytab > > -rw------- 1 root root 894 Nov 07:48 /etc/krb5.keytab >
If you are asking in the context of SSSD then SSSD just handles the renewal of the ticket for the host automatically for its purposes only. But this does not mean that it makes sure that host TGT is always available. Do you need to use host TGT for something else other than SSSD for example for cron jobs? If so then you need to periodically do kinit with host principal using host keytab. In future there will be a process called GSS proxy that would be able to do it on demand on your behalf. > > > > > > > (Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [main] (0x2000): > getting TGT sync > > (Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] > [ldap_child_get_tgt_sync] (0x2000): Kerberos context initialized > > (Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] > [ldap_child_get_tgt_sync] (0x2000): got realm_name: [NAT.C.SDU.DK] > > (Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] > [ldap_child_get_tgt_sync] (0x0100): Principal name is: > [[email protected]] > > (Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] > [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] > > (Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] > [ldap_child_get_tgt_sync] (0x2000): keytab ccname: > [FILE:/var/lib/sss/db/ccache_NAT.C.SDU.DK] > > (Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] > [ldap_child_get_tgt_sync] (0x2000): credentials initialized > > (Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] > [ldap_child_get_tgt_sync] (0x2000): credentials stored > > (Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] > [ldap_child_get_tgt_sync] (0x2000): Got KDC time offset > > (Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] > [prepare_response] (0x0400): Building response for result [0] > > (Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [pack_buffer] > (0x2000): response size: 60 > > (Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [pack_buffer] > (0x1000): result [0] krberr [0] msgsize [40] msg > [FILE:/var/lib/sss/db/ccache_NAT.C.SDU.DK] > > (Thu Nov 29 07:26:54 2012) [[sssd[ldap_child[7809]]]] [main] (0x0400): > ldap_child completed successfully > > (Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [main] (0x0400): > ldap_child started. > > (Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [main] (0x2000): > context initialized > > (Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] > (0x1000): total buffer size: 37 > > (Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] > (0x1000): realm_str size: 12 > > Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] > (0x1000): got realm_str: NAT.C.SDU.DK > > (Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] > (0x1000): princ_str size: 9 > > (Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] > (0x1000): got princ_str: VICTORIA$ > > (Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] > (0x1000): keytab_name size: 0 > > (Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [unpack_buffer] > (0x1000): lifetime: 86400 > > (Thu Nov 29 07:46:44 2012) [[sssd[ldap_child[7867]]]] [main] (0x2000): > getting TGT sync: > > (Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [unpack_buffer] > (0x1000): keytab_name size: 0 > > (Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [unpack_buffer] > (0x1000): lifetime: 86400 > > (Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [main] (0x2000): > getting TGT sync > > (Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] > [ldap_child_get_tgt_sync] (0x2000): Kerberos context initialized > > (Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] > [ldap_child_get_tgt_sync] (0x2000): got realm_name: [NAT.C.SDU.DK] > > (Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] > [ldap_child_get_tgt_sync] (0x0100): Principal name is: > [[email protected]] > > (Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] > [ldap_child_get_tgt_sync] (0x0100): Using keytab [default] > > (Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] > [ldap_child_get_tgt_sync] (0x2000): keytab ccname: > [FILE:/var/lib/sss/db/ccache_NAT.C.SDU.DK] > > (Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] > [ldap_child_get_tgt_sync] (0x0010): Failed to init credentials: > Preauthentication failed > > (Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [main] (0x0020): > ldap_child_get_tgt_sync failed. > > (Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] > [prepare_response] (0x0400): Building response for result [-1765328360] > > (Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [pack_buffer] > (0x2000): response size: 44 > > (Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [pack_buffer] > (0x1000): result [14] krberr [-1765328360] msgsize [24] msg > [Preauthentication failed] > > (Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8137]]]] [main] (0x0400): > ldap_child completed successfully > > (Thu Nov 29 08:14:09 2012) [[sssd[ldap_child[8138]]]] [main] (0x0400): > ldap_child started. > > > > Longina > > *From:*[email protected] > [mailto:[email protected]] *On Behalf Of > *Ondrej Valousek > *Sent:* 29. november 2012 14:27 > *To:* [email protected] > *Subject:* Re: [SSSD-users] problems sssd-1.9.2 > > > > Why do you need a TGT generated from a machine account principal? > Use your own instead. > > O. > > On 11/29/2012 12:12 PM, Longina Przybyszewska wrote: > > Can sssd do it for me ? Do I miss some options configured properly ? > > > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
