On Thu, Oct 19, 2017 at 11:40:39AM +0200, Michael Löffler wrote:
Hi,
> Yes, please check man sssd-krb5 and the option that include 'renew' in
> their name, e.g. "krb5_renewable_lifetime".
After reading the manpage, I thought that this only affects auths via krb5 -
however, our auth_provider is ad. Am I wrong here?
The ad provider is a AD-specific wrapper around the krb5 provider, so it
can be tuned with the krb5_* options.
> But please note that only tickets acquired through SSSD will be renewed
> this way.
Actually, I don't even know which service acquires the ticket. Is it always
SSSD? Or is it pam or ssh?
How do you log in to the machine? Via ssh with a password, ssh with GSSAPI,
GDM..?
Typically, the login methods that include a PAM authentication (GDM, su,
ssh with password, ...) would contact sssd through the pam_sss module.