I've been working with SSSD for a good while and I could have sworn I knew how to get
this working, but....
Login on workstations via GDM and my Kerberos tickets get renewed automatically. As I
type this, I realize that I do lock/unlock my screen at least once a day. My tickets
never seem to expire on my workstation.
From my workstation, I ssh to a server with sssd enabled authentication (Ubuntu bionic on
both ends). I use a different account on the remote server and am asked for a password.
Ssh is configured to use PAM and has it's own password authentication disabled.
(PasswordAuthentication no; UsePAM yes; ChallengeResponseAuthentication yes). Home
folders are kerberized NFS and upon initial login, all is well. However the ticket for
this session never renews on its own. sudo will refresh the ticket. It's about the
only other thing we have sssd enable for besides ssh. Without any sudo activity, the
Kerberos ticket expires and we lose access to home folders. Current workaround is a user
cron job that tries to refresh the key every hour. I have to sudo on this server several
times a day so my tickets were being renewed. CO-workers don't have sudo access and
they are the ones losing their tickets.
Is my assumption that one should be able to ssh to a server and have that server refresh
tickets (like on a workstation) a valid one? If so, where should I concentrate my
efforts to get this working?
Thanks to all in this group.
Jay McCanta | Principal Systems Administrator
D +1 (206) 272-7998 M +1-206-434-1080
Show replies by date