On Wed, Dec 03, 2014 at 12:03:16PM +0100, Joschi Brauchle wrote: > On 12/02/2014 04:45 PM, Jakub Hrozek wrote: > >On Mon, Dec 01, 2014 at 05:43:49PM +0100, Joschi Brauchle wrote: > >>Hello Everyone, > >> > >>there seems to be a problem with the KRB TGT auto-renewal feature of SSSD in > >>version 1.12.2. > >> > >>I have this config in sssd.conf: > >>----------------------------- > >>krb5_renew_interval = 60 > >>----------------------------- > >>We are using the AD plugin, the KRB plugin is not installed but krb-common > >>(i.e. krb5_child, ldap_child, libsss_krb5_common.so). > >> > >>#Everything works fine, except auto-renewal! > >> > >>See the following example: > >>----------------------------- > >>$ kinit -l 10m > >>Password for [email protected]: > > > >Does the renewal work if you acquire the ticket via SSSD login instead > >of kinit? Can you test logging in with some PAM service (gdm, su, ...) > > Hello Jakub, > > thanks for the hint. I can confirm that auto-renew works when > 1) using graphical login (i.e. SSSD acquired the ticket) > 2) reasonably long lifetime (tested w/ 2h) and renewal time (tested w/ 10m). > > I did have problems when getting the ticket with kinit and short > life-/renewal times, as reported originally.
I think this is kindof expectd unless you use a ticket name that is predictable (ie no XXXXX components in a FILE:/ ccache) because then SSSD has no idea which ccache to renew.. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
