Every time I restart on my workstation, I am getting errors with authentication
$ ipa ipa: ERROR: Ticket expired
$ kinit myuser Password for myuser@HOME.MYDOMAIN.COM: ******
$ ipa cert-show 1 Issuing CA: ipa Certificate: ####### Subject: CN=Certificate Authority,O=HOME.MYDOMAIN.COM Issuer: CN=Certificate Authority,O=HOME.MYDOMAIN.COM Not Before: Thu Sep 19 01:27:28 2019 UTC Not After: Mon Sep 19 01:27:28 2039 UTC Serial number: 1 Serial number (hex): 0x1 Revoked: False
$ ipa pwpolicy-show global_policy Group: global_policy Max lifetime (days): 20000 Min lifetime (hours): 1 History size: 0 Character classes: 0 Min length: 8 Max failures: 21 Failure reset interval: 60 Lockout duration: 600 $ ipa Usage: ipa [global-options] COMMAND [command-options] Manage an IPA domain Options: ...
Then, I have to restart services that failed (like autofs) in order to mount NFSv4 properly. Problem is - I have to do it every time I restart machine. Is there any additional step I should take on my workstation ?
Thanks!
ws.home.mydomain.com gssproxy[1151]: gssproxy[1226]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found ws.home.mydomain.com gssproxy[1226]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
So I have a NFS4 mounted directory 'tools':
$ cd tools tools: Permission denied. $ ipa ipa: ERROR: Ticket expired $ kinit myuser Password for myuser@HOME.MYDOMAIN.COM: $ cd tools $ ll total 0 drwxrwxr-x. 3 myuser myuser 24 Jul 12 20:54 folderA drwxr-xr-x. 2 myuser myuser 48 Aug 22 13:06 folderB drwxrwxr-x. 2 myuser myuser 28 Oct 3 16:22 folderC
and I have to do it every time i restart my workstation. I was looking at https://www.freeipa.org/page/V4/CA_certificate_renewal But as a client, I don't have 'ipa-cacert-manage' tools and I am not even sure if that is the direction i should be looking at
Any suggestions would help a lot, thanks!
On la, 17 loka 2020, Albert Szostkiewicz via FreeIPA-users wrote:
ws.home.mydomain.com gssproxy[1151]: gssproxy[1226]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found ws.home.mydomain.com gssproxy[1226]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure. Minor code may provide more information, No credentials cache found
So I have a NFS4 mounted directory 'tools':
$ cd tools tools: Permission denied. $ ipa ipa: ERROR: Ticket expired $ kinit myuser Password for myuser@HOME.MYDOMAIN.COM: $ cd tools $ ll total 0 drwxrwxr-x. 3 myuser myuser 24 Jul 12 20:54 folderA drwxr-xr-x. 2 myuser myuser 48 Aug 22 13:06 folderB drwxrwxr-x. 2 myuser myuser 28 Oct 3 16:22 folderC
and I have to do it every time i restart my workstation. I was looking at https://www.freeipa.org/page/V4/CA_certificate_renewal But as a client, I don't have 'ipa-cacert-manage' tools and I am not even sure if that is the direction i should be looking at
Any suggestions would help a lot, thanks!
I don't see how this applies to CA certificate renewal at all. CA certificate is valid for 20 years or so (now capped by year 2038) and is completely irrelevant for Kerberos tickets themselves.
You need to have a Kerberos ticket when accessing your NFS share. That can be obtained during login, for example, with SSSD. Or with kinit as you do.
By default, IPA KDC also allows to renew the tickets but you need to enable a client to request it. In SSSD, see sssd-krb5 manual page (krb5_renewable_lifetime and related options) and, if using kinit manually, you can specify it there too with '-R 7d', for example (for 7 days). Man page for kinit has more details.
For details on max renewal of Kerberos tickets see https://freeipa.readthedocs.io/en/latest/workshop/11-kerberos-ticket-policy....
Thanks Alexander for some insights!
From what you have described, I understand that something is wrong with the fact I am NOT getting Kerberos ticket on login. I'm guessing I should investigate SSSD logs to see what might be happening there.
I am meant to be using most default setup, didn't modify anything and my intention was not to get it manually. I'm still trying to get my head around those things as a mortal user, playing with ipa at home :)
Thanks!
freeipa-users@lists.fedorahosted.org