On 06.04.22 21:39, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Hi,
We have a few machines that joined a FreeIPA instance. We use NFSv4 +
kerberos to mount home directories.
However, if the user do not log on to the machine for more than 7 days,
and he leaves a job executing and that writes to some file on his home
directory, the cpu usage of the machine goes up to the sky and the
machine gets almost unusable.
Is there a good strategy to fetch new TGT's when near expiration? I know
some users generate a key tab (or fetch them using ipa-getkeytab) to
automate a kinit, but I wonder if we could come with a system-wide
solution that doesn't lead to storing key tabs around.
Any tips for that?
One way could be
ipa-getkeytab -s
ipaserver.somedomain.com -p someipauser(a)SOMEDOMAIN.COM
-P -k ./someipauser.keytab
export KRB5_CLIENT_KTNAME /some/path/to/someipauser.keytab
Cheers,
Ronald