On Wed, Jan 17, 2018 at 09:44:42AM -0000, tallinn1960(a)yahoo.de wrote:
I am aware that sssd by design issues an invalid tgt upon login when
it is operating in offline mode. The tgt has a expire date of the epoch. There is a
configuration option for storing the login passwd within sssd to enable it to issue a
correct ticket once it enters online mode again.
Now, we are using yubikey-based PKINIT as our login and cannot use this configuration
option. The problematic scenario runs like this:
- Notebook is offline.
- user logs in with yubikey
- user starts a user program that establishes a vpn connection
This results in a tgt expired at epoch.
Two questions:
1. Is there a way to avoid this behaviour?
Maybe
https://access.redhat.com/blogs/766093/posts/1976663 and
https://ocserv.gitlab.io/www/recipes-ocserv-freeipa.html might help.
bye,
Sumit
> 2. Is issuing a kinit after setting up the vpn connection to obtain a valid tgt a
valid workaround?
>
> Thanks in advance
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org