Hello,
The server with the home directories is mounted before with this line: linfile1:/ifs/data
/media/linfile1 nfs defaults,sec=krb5,auto 0 0, but of course only accessible when a user
is logged in with a corresponding ticket
I already set the interval (to who didn’t know this: the krb5_renew_interval is
necessary!)
The reneval seems to work in some cases and in some not
I also have now different ticket caches, like /tmp/krb5cc_59406_KO7sqV and
/tmp/krb5cc_59406
The one without the random suffix seems not to be refreshed
@Baldwin: It was a requirement by our security department.
Before using Kerberos, everything went fine with onefs and sssd (and sssd is in my
opinion the easiest solution)
We are using Version 7.2 and the AD provider of isilon.
Best regards,
Peter
--- Ursprüngliche Nachricht ---
Von: Jakub Hrozek <jhrozek(a)redhat.com>
Datum: 04.01.2016 07:10:40
An: Peter Tulpen <ptulpen(a)emailn.de>, End-user discussions about the System
Security Services Daemon <sssd-users(a)lists.fedorahosted.org>
Betreff: [SSSD-users] Re: several kerberos issues
> On 27 Dec 2015, at 19:50, Peter Tulpen <ptulpen(a)emailn.de> wrote:
>
>
>
Sorry for the late response, the mail was stuck in the moderation queue
during the Christmas break.
> Hello,
> Since we were forced to use Kerberos on our isilon nfsshare, we see
several issues and have several use cases, which might all becovered by sssd,
but this is toconfusing for me to cope
> What I already understood is, that I have to forget aboutpublic/private
key, because of this issue:
https://fedorahosted.org/freeipa/ticket/4000
> Also we have the home directories on the kerberized server,so we get
an infinite loop
I'm not sure I understand, is the homedir mounted before the user authenticates?
> The 3 use cases:
> - Login in linux directly with username andpassword (ticket
creation needed) and login to other servers via sshpassswordless with this
ticket (this works already)
> - Login into windows with a smartcard (withgetting a valid TGT)
and loggin into the servers via putty (or somethingsimilar). Also from here,
logon to other servers (works only when there isalready a ticket)
> - Services with a default user, which tickets getrefreshed infinitely
(I think I have to use keytabs, but the refreshing doesnot work)
>
> So can I achieve, that in every case sssd refreshes the tickets. Or
do I have to combine sssd with something like krenew?
Please take a look at options like krb5_renew_interval, do these help?
> Do I have to switch Kerberos on or of in the ssh config (Ifind different
opinions about that online)
> I attached the ssh krb and sssd configs
> Best regards ,
> Peter
>
>
>
> Versendet mit Emailn.de - Freemail
>
> * Unbegrenzt Speicherplatz
> * Eigenes Online-Büro
> * 24h besten Mailempfang
> * Spamschutz, Adressbuch
>
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org