Hi Sumit,
Yes you are right kinit -R -l 10m doesn't work either - so the problem lies
elsewhere. At least I know where not to look first.
Have a nice day,
Thomas
________________________________________
From: Sumit Bose <sbose(a)redhat.com>
Sent: Thursday, September 29, 2016 11:26 AM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: kerberos Key has expired
On Thu, Sep 29, 2016 at 03:03:04PM +0000, Thomas Beaudry wrote:
Hi,
It's a NFS 4.1 share mounted with autofs. Yes it's must be using the old key
even though It's not in /tmp and it expires at the original key's expiration time-
so i'm not quiet sure how to debug it.
Maybe
http://wiki.linux-nfs.org/wiki/index.php/General_troubleshooting_recommen...
might help?
I guess you would be able to run into the same issue if you call
kinit -R -l 10m
repeatedly. In this case I think it is not an SSSD issue.
bye,
Sumit
Thanks,
Thomas
________________________________________
From: Sumit Bose <sbose(a)redhat.com>
Sent: Thursday, September 29, 2016 10:51 AM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: kerberos Key has expired
On Thu, Sep 29, 2016 at 02:38:55PM +0000, Thomas Beaudry wrote:
> Hi,
>
>
> I am using sssd to renew my kerberos keys every 2 minutes (I know this is short, but
it's for testing to see if it actually works). I aslo set the lifetime of my kerberos
tickets to 10 minutes. I verified that sssd is infact renewing the keys on the interval i
specified, because when i "klist" i see the valid starting time change, however
when i try to access the share it no longer works.
What kind of share is it? It looks like the file-system does not pick
the new key but continues to use the one used at mounting time.
bye,
Sumit
>
>
> Here is some output:
>
>
> tbeaudry@perf-hpc01:~$ date
> Thu Sep 29 10:19:29 EDT 2016
>
> tbeaudry@perf-hpc01:~$ klist
> Ticket cache: FILE:/usr/krb5/creds/.krb5cache_1624330994
> Default principal: tbeaudry(a)CONCORDIA.CA
>
> Valid starting Expires Service principal
> 2016-09-29 10:18:54 2016-09-29 10:28:54 krbtgt/CONCORDIA.CA(a)CONCORDIA.CA
> renew until 2016-10-06 10:12:54
>
> tbeaudry@perf-hpc01:~$ cd ~
> -bash: cd: /NAS/home/tbeaudry: Key has expired
>
>
>
>
> From my krb5.conf
>
> [libdefaults]
> default_realm = CONCORDIA.CA
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 10m
> renew_lifetime = 7d
>
>
>
> From my sssd.conf
>
> [domain/concordia.ca]
> ad_domain = concordia.ca
> krb5_realm = CONCORDIA.CA
> realmd_tags = manages-system joined-with-adcli
> cache_credentials = True
> id_provider = ad
> krb5_store_password_if_offline = True
> default_shell = /bin/bash
> ldap_id_mapping = True
> #use_fully_qualified_names = True
> override_homedir = /NAS/home/%u
> fallback_homedir = /home/%u
> access_provider = ad
> debug_level=7
> ignore_group_members=True
> krb5_renewable_lifetime = 7d
> krb5_renew_interval = 2m
>
> Thanks!
> Thomas
>
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org