Sumit Bose via FreeIPA-users wrote:
On Thu, Sep 17, 2020 at 10:14:37AM +0200, Ronald Wimmer via
FreeIPA-users wrote:
> On 14.09.20 09:07, Ronald Wimmer via FreeIPA-users wrote:
>> I have a script that runs periodically as a CRON job. The user is an
>> IPA user. Everything works perfectly for a while and at some point in
>> time I am getting log entries like:
>>
>> Sep 14 08:56:02 myServer CROND[24516]: (CRON) ERROR chdir failed
>> (/home/mydomain.at/myADUser): Permission denied
>>
>> After logging in manually with that particular user everything works
>> again...
>>
>> What could be the issue here?
>
> It looks like Kerberos ticket expiration. What would be the best way
> to automatically renew it? Do a kinit -R over crond?
Hi,
SSSD can renew Kerberos tickets it has requested, see
krb5_renew_interval in man sssd-krb5 for details.
Please note that the KDC assigns a maximal renewal time to the original
TGT, if this time is passed the ticket cannot be renewed anymore but a
fresh one has to be requested.
Or use a keytab instead.
A keytab along with KRB5_CLIENT_KTNAME ensures you don't need to worry
about kinit, expiration, etc.
rob