Talking about renewing keys. In our setup we use a service account which has the rights to join machines to the domain, the Linux workstations are in s special OU. I run a cron job which calls msktutil --auto-update every day to renew the machine password if over 30 days. As discussed in another thread I am not sure if our setup is using adcli autmatically from sssd to renew the machine password.
Yesterday the msktutil failed on one machine, as it looked like the Kerberos ticket for that service account expired. I did a kinit as that user and everything worked with the msktutil. Password was over 30 days old and it got renewed. However I am a bit troubled here - surely I do not have to renew the service account ticket every N days also. What a ruddy big faff... On 9 July 2018 at 16:23, John Hodrien <[email protected]> wrote: > On Mon, 9 Jul 2018, Ondrej Valousek wrote: > > Thanks, >> "net ads keytab create" does work, but it populates my keytab with all >> accounts (user and computer) that can be found in AD - i.e. pretty >> dangerous. I would like to add it some parameter to only will with >> entries >> relevant for my computer - i.e. something like: >> >> Net ads keytab create --only-obj <my_hostname> >> >> Which would add UPN and SPN (both can be easily grabbed from AD) related >> to my hostname. >> > > It does *what*?!!! > > jh > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.or > g/archives/list/[email protected]/message/UB > GWXKSGSXVD5FYUK7YYHD6BLETMEXVO/ >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/OD6FFJW7GD7I324GMGPAKXIJPRFORNZO/
