On Wed, Jan 17, 2018 at 09:44:42AM -0000, tallinn1...@yahoo.de wrote: > I am aware that sssd by design issues an invalid tgt upon login when it is > operating in offline mode. The tgt has a expire date of the epoch. There is a > configuration option for storing the login passwd within sssd to enable it to > issue a correct ticket once it enters online mode again. > > Now, we are using yubikey-based PKINIT as our login and cannot use this > configuration option. The problematic scenario runs like this: > > - Notebook is offline. > - user logs in with yubikey > - user starts a user program that establishes a vpn connection > > This results in a tgt expired at epoch. > > Two questions: > 1. Is there a way to avoid this behaviour?
Maybe https://access.redhat.com/blogs/766093/posts/1976663 and https://ocserv.gitlab.io/www/recipes-ocserv-freeipa.html might help. bye, Sumit > 2. Is issuing a kinit after setting up the vpn connection to obtain a valid > tgt a valid workaround? > > Thanks in advance > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org