On Mon, Nov 04, 2019 at 04:01:20PM +0000, Jay McCanta wrote: > I've been working with SSSD for a good while and I could have sworn I knew > how to get this working, but.... > > Login on workstations via GDM and my Kerberos tickets get renewed > automatically. As I type this, I realize that I do lock/unlock my screen at > least once a day. My tickets never seem to expire on my workstation. > From my workstation, I ssh to a server with sssd enabled authentication > (Ubuntu bionic on both ends). I use a different account on the remote server > and am asked for a password. Ssh is configured to use PAM and has it's own > password authentication disabled. (PasswordAuthentication no; UsePAM yes; > ChallengeResponseAuthentication yes). Home folders are kerberized NFS > and upon initial login, all is well. However the ticket for this session > never renews on its own. sudo will refresh the ticket. It's about the only > other thing we have sssd enable for besides ssh. Without any sudo activity, > the Kerberos ticket expires and we lose access to home folders. Current > workaround is a user cron job that tries to refresh the key every hour. I > have to sudo on this server several times a day so my tickets were being > renewed. CO-workers don't have sudo access and they are the ones losing > their tickets. > > Is my assumption that one should be able to ssh to a server and have that > server refresh tickets (like on a workstation) a valid one? If so, where > should I concentrate my efforts to get this working?
Hi, please have a look at the krb5_renew_interval option explained in the sssd-krb5 man page. HTH bye, Sumit > > Thanks to all in this group. > > [cid:[email protected]]<https://f5.com/> > Jay McCanta | Principal Systems Administrator > D +1 (206) 272-7998 M +1-206-434-1080 > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
