On Thu, Oct 19, 2017 at 01:01:18PM +0200, Michael Löffler wrote:
> Thanks for your answers!
>
> > > > Yes, please check man sssd-krb5 and the option that include 'renew' in
> > > > their name, e.g. "krb5_renewable_lifetime".
> > > After reading the manpage, I thought that this only affects auths via
> > > krb5 -
> > > however, our auth_provider is ad. Am I wrong here?
> >
> > The ad provider is a AD-specific wrapper around the krb5 provider, so it
> > can be tuned with the krb5_* options.
>
> I'll test it now with the following options specified in sssd.conf (after
> restarting sssd service):
> id_provider = ad
> auth_provider = ad
> ldap_id_mapping = false
> access_provider = ad
> enumerate = false
> krb5_renewable_lifetime = 10h
> krb5_renew_interval = 1h
>
> However, I have my doubts: in a testcase, I also specified "krb5_lifetime =
> 5m". However, when I log in and list my krb5 tickets using klist, the
> expiration time still is the time specified by the Samba server. Is this
> normal behavior or am I overlooking something?
No, I don't think so, and I just tested this setup in my test environment and
it works fine.
btw do you see a message such as this one:
(Sat Oct 21 19:34:30 2017) [[sssd[krb5_child[13199]]]]
[set_lifetime_options] (0x0100): Lifetime is set to [5m]
in the krb5_child.log on your client system?
>
>
> > > > But please note that only tickets acquired through SSSD will be renewed
> > > > this way.
> > > Actually, I don't even know which service acquires the ticket. Is it
> > > always
> > > SSSD? Or is it pam or ssh?
> >
> > How do you log in to the machine? Via ssh with a password, ssh with GSSAPI,
> > GDM..?
> >
> > Typically, the login methods that include a PAM authentication (GDM, su,
> > ssh with password, ...) would contact sssd through the pam_sss module.
>
> I/we log in via ssh with password at or lightdm, respectively.
Both should reach sssd through the PAM interface.
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
