7:28 a.m.
On la, 17 loka 2020, Albert Szostkiewicz via FreeIPA-users wrote:
ws.home.mydomain.com gssproxy[1151]: gssproxy[1226]: (OID: { 1 2 840
113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No
credentials cache found
ws.home.mydomain.com gssproxy[1226]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS
failure. Minor code may provide more information, No credentials cache found
So I have a NFS4 mounted directory 'tools':
$ cd tools
tools: Permission denied.
$ ipa
ipa: ERROR: Ticket expired
$ kinit myuser
Password for myuser(a)HOME.MYDOMAIN.COM:
$ cd tools
$ ll
total 0
drwxrwxr-x. 3 myuser myuser 24 Jul 12 20:54 folderA
drwxr-xr-x. 2 myuser myuser 48 Aug 22 13:06 folderB
drwxrwxr-x. 2 myuser myuser 28 Oct 3 16:22 folderC
and I have to do it every time i restart my workstation. I was looking at
https://www.freeipa.org/page/V4/CA_certificate_renewal
But as a client, I don't have 'ipa-cacert-manage' tools and I am not even sure
if that is the direction i should be looking at
Any suggestions would help a lot, thanks!
I don't see how this applies to CA certificate renewal at all. CA
certificate is valid for 20 years or so (now capped by year 2038) and is
completely irrelevant for Kerberos tickets themselves.
You need to have a Kerberos ticket when accessing your NFS share. That
can be obtained during login, for example, with SSSD. Or with kinit as
you do.
By default, IPA KDC also allows to renew the tickets but you need to
enable a client to request it. In SSSD, see sssd-krb5 manual page
(krb5_renewable_lifetime and related options) and, if using kinit
manually, you can specify it there too with '-R 7d', for example (for 7
days). Man page for kinit has more details.
For details on max renewal of Kerberos tickets see
https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-poli...
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland