After getting sssd logins working yesterday (thanks again, Sumit), I
was pleasantly surprised to find I was able to login this morning
with my domain credentials from home before I had
established my VPN connection to the office. (I know I shouldn't
have necessarily been surprised, that's the expected behavior, but
I've been fiddling with this for weeks and only yesterday finally
got things working as 'expected'.)
Before I made my VPN connection, I did a klist to see the cached
credentials, and did a double-take when I saw the TGT:
At first I thought I was back in the U.S. Navy boot camp (which is
where I was on December 31, 1969) but then I decided this timestamp
might have been chosen intentionally to pre-date UNIX epoch time.
But why go to all that trouble rather than just use the valid TGT I
had received yesterday when I made a live, valid connection? Wasn't
that cached, along with my authentication credentials?
Once I established my tunnel connection, I checked again, saw the
same (old) TGT, so I logged out of the session (without dropping the
tunnel connection) and when I logged back in I had a TGT dated
today. I'm guessing (something I can test easily enough) that if I
had waiting long enough before logging out and back in again, the
TGT would have been re-issued correctly.
--
Harry Sutton
Global Solutions Support Engineering (GSSE)
GSD Customer Solution Center
Technology Services, Enterprise Group