Hi,
Yes, please check man sssd-krb5 and the option that include
'renew' in
their name, e.g. "krb5_renewable_lifetime".
After reading the manpage, I
thought that this only affects auths via
krb5 - however, our auth_provider is ad. Am I wrong here?
But please note that only tickets acquired through SSSD will be
renewed
this way.
Actually, I don't even know which service acquires the ticket. Is it
always SSSD? Or is it pam or ssh?
I would appreciate it if you could help me here.
Regards
Michael
On 18.10.2017 10:12, Jakub Hrozek wrote:
> On Wed, Oct 18, 2017 at 10:00:35AM +0200, Michael Löffler wrote:
>> Dear SSSD Users,
>>
>> I have a question regarding the renewal of Kerberos tickets within a Samba
>> AD. All servers and clients are running Ubuntu 16.04. We have a lot of
>> Windows clients too; therefore we're using Samba. First of all, I'll
>> summarize our setup:
>>
>> - One server acts as the Samba AD Host (and Kerberos (integrated in Samba)
>> principal)
>> - One server acts as a file server; all directories (the users' home
>> directories as well) are exported via kerberized NFS
>> - The clients mount the directories; login auth is realized using sssd (with
>> id_provider = ad, auth_provider = ad and access_provider = ad)
>>
>> When a user logs in at a client, he gets a Kerberos ticket and is therefore
>> granted access to his home directory. If he locks the screen and logs in
>> again, the ticket is renewed. However, if the user keeps the client locked
>> for a time greater than the ticket lifetime, the ticket expires and the user
>> is not able to write to his home directory any more. That's a problem if the
>> user is, for example, running a process which takes a long time (in our case
>> mostly simulations which are usually run overnight). The same things happens
>> if a user connects to a client via ssh. Then, the ticket is never renewed
>> automatically.
>>
>> Is it somehow possible to configure that sssd renews the krb5 ticket if the
>> user has active processes running?
>>
>> Regards
>> Michael
>
> Yes, please check man sssd-krb5 and the option that include 'renew' in
> their name, e.g. "krb5_renewable_lifetime".
>
> But please note that only tickets acquired through SSSD will be renewed
> this way. Tickets acquired through kinit or in other way won't -- that's
> why we are working on KCM and in particular
>
https://pagure.io/SSSD/sssd/issue/1723
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>