After getting sssd logins working yesterday (thanks again, Sumit), I was
pleasantly surprised to find I was able to login this morning with my
domain credentials from home /before/ I had established my VPN
connection to the office. (I know I shouldn't have necessarily been
surprised, that's the expected behavior, but I've been fiddling with
this for weeks and only yesterday finally got things working as 'expected'.)
Before I made my VPN connection, I did a klist to see the cached
credentials, and did a double-take when I saw the TGT:
At first I thought I was back in the U.S. Navy boot camp (which is where
I was on December 31, 1969) but then I decided this timestamp might have
been chosen intentionally to pre-date UNIX epoch time. But why go to all
that trouble rather than just use the valid TGT I had received yesterday
when I made a live, valid connection? Wasn't that cached, along with my
authentication credentials?
Once I established my tunnel connection, I checked again, saw the same
(old) TGT, so I logged out of the session (without dropping the tunnel
connection) and when I logged back in I had a TGT dated today. I'm
guessing (something I can test easily enough) that if I had waiting long
enough before logging out and back in again, the TGT would have been
re-issued correctly.
--
*Harry Sutton*
Global Solutions Support Engineering (GSSE)
GSD Customer Solution Center
Technology Services, Enterprise Group