On Wed, Oct 18, 2017 at 10:00:35AM +0200, Michael Löffler wrote:
Dear SSSD Users,
I have a question regarding the renewal of Kerberos tickets within a Samba
AD. All servers and clients are running Ubuntu 16.04. We have a lot of
Windows clients too; therefore we're using Samba. First of all, I'll
summarize our setup:
- One server acts as the Samba AD Host (and Kerberos (integrated in Samba)
principal)
- One server acts as a file server; all directories (the users' home
directories as well) are exported via kerberized NFS
- The clients mount the directories; login auth is realized using sssd (with
id_provider = ad, auth_provider = ad and access_provider = ad)
When a user logs in at a client, he gets a Kerberos ticket and is therefore
granted access to his home directory. If he locks the screen and logs in
again, the ticket is renewed. However, if the user keeps the client locked
for a time greater than the ticket lifetime, the ticket expires and the user
is not able to write to his home directory any more. That's a problem if the
user is, for example, running a process which takes a long time (in our case
mostly simulations which are usually run overnight). The same things happens
if a user connects to a client via ssh. Then, the ticket is never renewed
automatically.
Is it somehow possible to configure that sssd renews the krb5 ticket if the
user has active processes running?
Regards
Michael
Yes, please check man sssd-krb5 and the option that include 'renew' in
their name, e.g. "krb5_renewable_lifetime".
But please note that only tickets acquired through SSSD will be renewed
this way. Tickets acquired through kinit or in other way won't -- that's
why we are working on KCM and in particular
https://pagure.io/SSSD/sssd/issue/1723