On 16-12-2020 14:59, François Cami wrote:
On Wed, Dec 16, 2020 at 2:53 PM Kees Bakker <keesb@ghs.com> wrote:
Thanks for the pointer. A bit old, but probably still relevant.

Anyway, I was thinking that the following may be the cause of
my observation. I'm now working from home (as many will recognize).
My setup is a X2GO connection to the office. The session is kept alive
all the time and without a screenlock in that X2GO session.

Before I was working in the office, and there I had a screenlock as soon
as I left my desk. I'm guessing that the TGT was renewed or newly created
when I unlocked the screen. If that is the case then I never noticed an
expired TGT.

It's just a wild guess.

In the mean time I'm going to figure out what the configuration should be
to not run into an expired TGT all the time. Of course we have a FreeIPA
flavor of it all. In my case: Centos7 for the masters, and Ubuntu for the
clients.

Look at the client's configuration:
https://linux.die.net/man/5/sssd-krb5
krb5_store_password_if_offline
krb5_renewable_lifetime
krb5_renew_interval


In /etc/sssd/sssd.conf I now have:
  krb5_renewable_lifetime = 60d
  krb5_renew_interval = 6h

The ipa client install already placed krb5_store_password_if_offline=True in there.

In /etc/krb5.conf in the [libdefaults] section I have:
  ticket_lifetime = 24h
  default_ccache_name = KEYRING:persistent:%{uid}

On the clients I now see a TGT with flags FRIA. Great. It seems that my server
only allows max 7 days.

    renew until 23-12-20 15:18:42, Flags: FRIA

Let's see if this is sufficient.
--
Kees