On Mon, Nov 04, 2019 at 04:01:20PM +0000, Jay McCanta wrote:
I've been working with SSSD for a good while and I could have
sworn I knew how to get this working, but....
Login on workstations via GDM and my Kerberos tickets get renewed automatically. As I
type this, I realize that I do lock/unlock my screen at least once a day. My tickets
never seem to expire on my workstation.
From my workstation, I ssh to a server with sssd enabled authentication (Ubuntu bionic on
both ends). I use a different account on the remote server and am asked for a password.
Ssh is configured to use PAM and has it's own password authentication disabled.
(PasswordAuthentication no; UsePAM yes; ChallengeResponseAuthentication yes). Home
folders are kerberized NFS and upon initial login, all is well. However the ticket for
this session never renews on its own. sudo will refresh the ticket. It's about the
only other thing we have sssd enable for besides ssh. Without any sudo activity, the
Kerberos ticket expires and we lose access to home folders. Current workaround is a user
cron job that tries to refresh the key every hour. I have to sudo on this server several
times a day so my tickets were being renewed. CO-workers don't have sudo access and
they are the ones losing their tickets.
Is my assumption that one should be able to ssh to a server and have that server refresh
tickets (like on a workstation) a valid one? If so, where should I concentrate my
efforts to get this working?
Hi,
please have a look at the krb5_renew_interval option explained in the
sssd-krb5 man page.
HTH
bye,
Sumit
Thanks to all in this group.
[cid:image001.jpg@01D592E5.F6CEED20]<https://f5.com/>
Jay McCanta | Principal Systems Administrator
D +1 (206) 272-7998 M +1-206-434-1080
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...