Lukos - Thanks for responding. You stated that the krb5 ticket is
"renewed" after each authentication. What are all the methods
"authentication"? I.e. when a user logs in using SSSD, that
authenticates against Kerberos, (in our case, that is a Windows server),
the person gets a Kerberos ticket. But if the person stays logged in
for many weeks, without logging out, it sounds like that the automatic
renewal will eventually stop, after the number of days specified by the
SSSD krb5_lifetime setting. After which point, the user will need to
either using kinit, or log out and log back in, in order to get a new
ticket. Is that correct?
If so, this will create a problem for our users. We presently are
running Linux (fedora and redhat) on many workstations, and using SSSD
to authenticate logins via LDAP from our Windows Active Directory
server. We have a linux NFS file server, that is serving a /home disk,
which contains everybody's home directory. Itis presently mounted
without any authentication via an entry in /etc/fstab, on each
workstation. For security reasons, weare interested in trying to
configure the /home disk to be mounted using Kerberos authentication.
I have read that his will require users to have a Kerberos ticket, in
order to access their directory that is on the /home NFS mounted disk.
SSSD can be configured to authenticate using Kerberos, thus
automatically creating a ticket, when the person logs in. But if the
person stays logged in for longer than krb5_lifetime, it would seem to
me, that this means that access to the /home disk will fail. Is that
so? What if a user is running a job that is accessing /home, and the
ticket expires and can no longer be renewed by SSSD, because it has
reached the life limit? That job will fail, won't it? I'm trying to
verify if this is the case. Thanks! - Mark
On 9/1/2017 3:52 PM, Lukas Slebodnik wrote:
On (01/09/17 12:01), Mark London wrote:
> On 9/1/2017 10:30 AM, John Hodrien wrot
>> On Fri, 1 Sep 2017, Michal Židek wrote:
>>
>>> See man sssd-krb5 and option:
>>> krb5_renew_interval
>>>
>>> Is this what you are looking for? Look for other options
>>> in that man page too, maybe you will need some of them.
>> If this is against a typical AD installation, that'll get you automatic
>> certificate renewals for up to 7 days.
> But we have people logged into linux workstations for months at a time.
> What happens to their connection to their home directory, when their 7 day
> period ends? - Mark
krb5 ticket is "renewed" after each authentication. If user does not
authenticate very often then krb5_renew_interval will help.
But usually, krb5 ticket cannot be renewed to infinity.
(equivalent to "kinit -R") due to krb5 server side limits/setting.
I do not know details about your deployment so it is difficult to answer.
LS
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org