Thanks for the pointer. A bit old, but probably still
relevant.
Anyway, I was thinking that the following may be the
cause of
my observation. I'm now working from home (as many will
recognize).
My setup is a X2GO connection to the office. The session
is kept alive
all the time and without a screenlock in that X2GO
session.
Before I was working in the office, and there I had a
screenlock as soon
as I left my desk. I'm guessing that the TGT was renewed
or newly created
when I unlocked the screen. If that is the case then I
never noticed an
expired TGT.
It's just a wild guess.
In the mean time I'm going to figure out what the
configuration should be
to not run into an expired TGT all the time. Of course
we have a FreeIPA
flavor of it all. In my case: Centos7 for the masters,
and Ubuntu for the
clients.
Look at the client's configuration:
krb5_store_password_if_offline
krb5_renewable_lifetime
krb5_renew_interval