On Thu, Apr 11, 2013 at 08:15:41AM -0400, Sutton, Harry (GSSE) wrote:
After getting sssd logins working yesterday (thanks again, Sumit), I was pleasantly surprised to find I was able to login this morning with my domain credentials from home /before/ I had established my VPN connection to the office. (I know I shouldn't have necessarily been surprised, that's the expected behavior, but I've been fiddling with this for weeks and only yesterday finally got things working as 'expected'.)
Before I made my VPN connection, I did a klist to see the cached credentials, and did a double-take when I saw the TGT:
At first I thought I was back in the U.S. Navy boot camp (which is where I was on December 31, 1969) but then I decided this timestamp might have been chosen intentionally to pre-date UNIX epoch time. But why go to all that trouble rather than just use the valid TGT I had received yesterday when I made a live, valid connection? Wasn't that cached, along with my authentication credentials?
Once I established my tunnel connection, I checked again, saw the same (old) TGT, so I logged out of the session (without dropping the tunnel connection) and when I logged back in I had a TGT dated today. I'm guessing (something I can test easily enough) that if I had waiting long enough before logging out and back in again, the TGT would have been re-issued correctly.
I think krb5_store_password_if_offline (see man sssd-krb5) is the option you are looking for. About the strange date, sssd creates and empty credential cache with UNIX epoch time to allow other desktop application which tries to re-new the Kerberos ticket start working. I think that you see December 31 is due to your timezone.
HTH
bye, Sumit
-- *Harry Sutton* Global Solutions Support Engineering (GSSE) GSD Customer Solution Center Technology Services, Enterprise Group
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users