Thanks for your answers!
Yes, please check man sssd-krb5 and the option that include 'renew' in
their name, e.g. "krb5_renewable_lifetime".
After reading the manpage, I thought that this only affects auths via krb5 -
however, our auth_provider is ad. Am I wrong here?
The ad provider is a AD-specific wrapper around the krb5 provider, so it
can be tuned with the krb5_* options.
I'll test it now with the following options specified in sssd.conf
(after restarting sssd service):
id_provider = ad
auth_provider = ad
ldap_id_mapping = false
access_provider = ad
enumerate = false
krb5_renewable_lifetime = 10h
krb5_renew_interval = 1h
However, I have my doubts: in a testcase, I also specified
"krb5_lifetime = 5m". However, when I log in and list my krb5 tickets
using klist, the expiration time still is the time specified by the
Samba server. Is this normal behavior or am I overlooking something?
But please note that only tickets acquired through SSSD will be renewed
this way.
Actually, I don't even know which service acquires the ticket. Is it always
SSSD? Or is it pam or ssh?
How do you log in to the machine? Via ssh with a password, ssh with GSSAPI,
GDM..?
Typically, the login methods that include a PAM authentication (GDM, su,
ssh with password, ...) would contact sssd through the pam_sss module.
I/we log in via ssh with password at or lightdm, respectively.
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
