Hello,

Does anyone have any tips for completely refreshing (forcing cleaning) all kerberos tickets on a client from FreeIPA?

I assumed "$ kdestroy -A" should do it, but it certainly doesn't completely clear all caches.

What I'm having trouble with is some NFS/NAS servers using kerberos. I'll set up a new NFS server with Kerberos, the server will have their appropriate keytab and services created.

I'll make sure and clear my local cache on my client with "$ kdestroy -A", and then connect to the NFS server. If for some reason I have something misconfigured (e.g. time is off) I'll obviously get a "stale file handle" or "mount.nfs4: access denied by server". At that point I'll correct the issue on the server/client. However, I'll continue getting the error even though I destroy the cache. I _know_ its a cache issue _somewhere_ because it will randomly start working (e.g. it will be failing, leave for the day and next morning it will mount no problem) OR I'll try it on a different client and it will mount successfully. It seems so sporadic. I've even been in the situation where I've purposefully removed keytabs, LDAP login access and reset the cache on the client on systems the and NFS mount has still worked. It will continue to work when it shouldn't as I've removed keytab or authentications so obviously something is cached.

Is there a foolproof list of things I need to do to reset the cache(es)? kdestroy, services on client and server? Is there a potential force 15 min TTL or something somewhere I'm missing?

Thanks,

-Kevin