On 9/6/21 4:49 AM, Sumit Bose wrote:
> Am Thu, Sep 02, 2021 at 10:02:54AM -0500 schrieb Patrick Goetz:
>>
>> On 9/2/21 12:49 AM, Sumit Bose wrote:
>>> The reason is that 'kinit -k' constructs the principal by calling
>>> gethostname() or similar, adding the 'host/' prefix and the realm. But
>>> by default this principal in AD is only a service principal can cannot
>>> be used to request a TGT as kinit does. AD only allows user principals
>>> for request a TGT and this is by default 'SHORT$@AD.REALM'. If the
>>> userPrincipalName attribute is set, this principal given here is allowed
>>> as well.
>>>
>>
>> This raises a couple of questions. Because of AD's flat address space, we
>> use a host naming convention in AD as a sort of low rent namespacing; so,
>> for example, for this host the college is cns and the research group cryo,
>> so the AD hostname is cns-cryo-ross1$
>>
>> However,
>>
>> # hostname
>> rossmann.biosci.utexas.edu
>>
>>
>> which is easier for the users to remember for ssh purposes.  We set
>>
>>    ad_hostname = cns-cryo-ross1.austin.utexas.edu
>>
>> in /etc/sssd/sssd.conf.
>>
>> But I just checked, and kinit does not use ad_hostname, so I have to run it
>> as
>>
>>    kinit -k -R cns-cryo-ross1$
>>
>> The question is, then what does use the ad_hostname key/value pair?
>>
>> Next, the kinit example provided by Spike was `kinit -k` -- we always run
>> `kinit -k -R`
>>
>> -R renews the TGT, which is what I thought is the thing set to expire in AD
>> that needs to be periodically renewed.  What's the purpose of running `kinit
>> -k` without the -R?
>
> Hi,
>
> there are two different things.
>
> First, there are the host keys in the keytab which are equivalent to a
> user password. Those keys are renewed by 'adcli update' if they are
> older then 30 days, similar as you would renew you user password if the
> AD DC tells you to do it.
>
> Second, with those keys you can request a Kerberos TGT
>
>      kinit -k 'shortname$'
>

I thought, based on the kinit man page, that the -k flag is just an
ordinary ticket request and that you need to add the -R flag to request
a TGT.  What you're saying is it also renews the TGT?

OTOH I thought `kinit -k` was updating the computer account password on
the domain controller, but that doesn't seem to be the case, in which
case I'm not even sure what the purpose of an ordinary (non-TGT) ticket
is if you're not requesting automatic login to some specifically
requested service.

Also, just to make sure I'm clear on this, the "renew until" doesn't
change because this is based on the computer account password
expiration, and further that sssd runs `adcli update` for you
periodically?  How often, by the way?


> as you can do with your user password:
>
>      kinit user@REALM
>      Password for user@REALM
>
> This TGT has a lifetime and it might have a renewal time as well:
>
> # klist
> Ticket cache: KCM:0:69840
> Default principal: Administrator@CHILD.AD.VM
>
> Valid starting       Expires              Service principal
> 09/06/2021 09:39:28  09/06/2021 19:39:28  krbtgt/CHILD.AD.VM@CHILD.AD.VM
>          renew until 09/07/2021 09:39:24
>
>
> In the example above the TGT will expire at '09/06/2021 19:39:28' but
> can be renewed until '09/07/2021 09:39:24'. This means that if you call
>
>      kinit -R
>
> before '09/06/2021 19:39:28' you will get a fresh TGT without entering
> your password. The new TGT will have a new lifetime but 'renew until'
> will stay the same. After '09/07/2021 09:39:24' 'kinit -R' will not work
> anymore and you have to enter your password again. It does not matter
> here if the TGT was originally requested with a keytab with 'kinit -k'
> or with plain 'kinit' and a password.
>
> However, since the keytab is present in the file system calling
>
>      kinit -k 'shortname$'
>
> will always get a fresh TGT without manual intervention. So in case you
> have a valid keytab this is even more flexible than 'kinit -R'
>
> HTH
>
> bye,
> Sumit
>
>>
>> _______________________________________________
>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
>> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
>> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>>> This message is from an external sender. Learn more about why this <<
>>> matters at https://links.utexas.edu/rtyclf.                        <<
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure