On Fri, Jun 02, 2017 at 10:36:40AM +0000, Joakim Tjernlund wrote:
On Fri, 2017-06-02 at 11:37 +0200, Sumit Bose wrote:
> On Fri, Jun 02, 2017 at 09:11:13AM +0000, Joakim Tjernlund wrote:
> > Vi are seeing extra keytab entries in krb5.keytab here and there:
> > klist -k
> > ....
> > 11 host/GENTOO64(a)INFINERA.COM
> > 12 host/GENTOO64(a)INFINERA.COM
> > ...
> >
> > I suspect sssd has added them, but why? and how?
>
> If this is an AD client SSSD will try to use adcli to renew the machine
> account password every 30 days as Windows clients do, see
> ad_maximum_machine_account_password_age and
> ad_machine_account_password_renewal_opts in man sssd-ad for details.
I see, thanks.
sssd does not seem to clean out the old entries though, efter after some time.
It is expected that adcli keeps only the new and the last valid entry.
Is it really necessary to refresh all keytab keys periodically ?
It depends on your environment. There are some tools for Windows which
determine if a client is still active or can be removed from AD by
checking when the machine account password was renewed the last time.
But if this is not used in your environment you can disable it.
bye,
Sumit
>
> Jocke
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org