On 06-04-2022 21:39, Francis Augusto Medeiros-Logeay via FreeIPA-users wrote:
Hi,
We have a few machines that joined a FreeIPA instance. We use NFSv4 +
kerberos to mount home directories.
However, if the user do not log on to the machine for more than 7 days,
and he leaves a job executing and that writes to some file on his home
directory, the cpu usage of the machine goes up to the sky and the
machine gets almost unusable.
Is there a good strategy to fetch new TGT's when near expiration? I know
some users generate a key tab (or fetch them using ipa-getkeytab) to
automate a kinit, but I wonder if we could come with a system-wide
solution that doesn't lead to storing key tabs around.
Any tips for that?
Have you looked at SSSD's krb5_renew_interval and krb5_renewable_lifetime?
On my PC I changed it to:
/etc/sssd/sssd.conf
[
domain/example.com]
...
krb5_renewable_lifetime = 60d
krb5_renew_interval = 6h
I don't really need it anymore because I'm now locking my PC when I go home :-).
And when I get
back I have to enter my password, after which there is a new TGT.
--
Kees