I’ve been working with SSSD for a good while and I could have sworn I knew how to get this working, but….
Login on workstations via GDM and my Kerberos tickets get renewed automatically. As I type this, I realize that I do lock/unlock my screen at least once a day. My tickets never seem to expire on my workstation.
From my workstation, I ssh to a server with sssd enabled authentication (Ubuntu bionic on both ends). I use a different account on the remote server and am asked for a password. Ssh is configured to use PAM and has it’s own password authentication
disabled. (PasswordAuthentication no; UsePAM yes; ChallengeResponseAuthentication yes). Home folders are kerberized NFS and upon initial login, all is well. However the ticket for this session never renews on its own. sudo will refresh the ticket.
It’s about the only other thing we have sssd enable for besides ssh. Without any sudo activity, the Kerberos ticket expires and we lose access to home folders. Current workaround is a user cron job that tries to refresh the key every hour. I have to sudo
on this server several times a day so my tickets were being renewed. CO-workers don’t have sudo access and they are the ones losing their tickets.
Is my assumption that one should be able to ssh to a server and have that server refresh tickets (like on a workstation) a valid one? If so, where should I concentrate my efforts to get this working?
Thanks to all in this group.
|
|
|
