Thanks for your answers!
>> Yes, please check man sssd-krb5 and the option that include
>> their name, e.g. "krb5_renewable_lifetime".
> After reading the manpage, I thought that this only affects auths via krb5 -
> however, our auth_provider is ad. Am I wrong here?
The ad provider is a AD-specific wrapper around the krb5 provider, so it
can be tuned with the krb5_* options.
I'll test it now with the following options specified in sssd.conf
(after restarting sssd service):
id_provider = ad
auth_provider = ad
ldap_id_mapping = false
access_provider = ad
enumerate = false
krb5_renewable_lifetime = 10h
krb5_renew_interval = 1h
However, I have my doubts: in a testcase, I also specified
"krb5_lifetime = 5m". However, when I log in and list my krb5 tickets
using klist, the expiration time still is the time specified by the
Samba server. Is this normal behavior or am I overlooking something?
>> But please note that only tickets acquired through SSSD will
>> this way.
> Actually, I don't even know which service acquires the ticket. Is it always
> SSSD? Or is it pam or ssh?
How do you log in to the machine? Via ssh with a password, ssh with GSSAPI,
Typically, the login methods that include a PAM authentication (GDM, su,
ssh with password, ...) would contact sssd through the pam_sss module.
I/we log in via ssh with password at or lightdm, respectively.