On Thu, Sep 29, 2016 at 03:03:04PM +0000, Thomas Beaudry wrote:
Hi,
It's a NFS 4.1 share mounted with autofs. Yes it's must be using the old key
even though It's not in /tmp and it expires at the original key's expiration time-
so i'm not quiet sure how to debug it.
Maybe
http://wiki.linux-nfs.org/wiki/index.php/General_troubleshooting_recommen...
might help?
I guess you would be able to run into the same issue if you call
kinit -R -l 10m
repeatedly. In this case I think it is not an SSSD issue.
bye,
Sumit
>
> Thanks,
> Thomas
> ________________________________________
> From: Sumit Bose <sbose(a)redhat.com>
> Sent: Thursday, September 29, 2016 10:51 AM
> To: sssd-users(a)lists.fedorahosted.org
> Subject: [SSSD-users] Re: kerberos Key has expired
>
> On Thu, Sep 29, 2016 at 02:38:55PM +0000, Thomas Beaudry wrote:
> > Hi,
> >
> >
> > I am using sssd to renew my kerberos keys every 2 minutes (I know this is short,
but it's for testing to see if it actually works). I aslo set the lifetime of my
kerberos tickets to 10 minutes. I verified that sssd is infact renewing the keys on the
interval i specified, because when i "klist" i see the valid starting time
change, however when i try to access the share it no longer works.
>
> What kind of share is it? It looks like the file-system does not pick
> the new key but continues to use the one used at mounting time.
>
> bye,
> Sumit
>
> >
> >
> > Here is some output:
> >
> >
> > tbeaudry@perf-hpc01:~$ date
> > Thu Sep 29 10:19:29 EDT 2016
> >
> > tbeaudry@perf-hpc01:~$ klist
> > Ticket cache: FILE:/usr/krb5/creds/.krb5cache_1624330994
> > Default principal: tbeaudry(a)CONCORDIA.CA
> >
> > Valid starting Expires Service principal
> > 2016-09-29 10:18:54 2016-09-29 10:28:54 krbtgt/CONCORDIA.CA(a)CONCORDIA.CA
> > renew until 2016-10-06 10:12:54
> >
> > tbeaudry@perf-hpc01:~$ cd ~
> > -bash: cd: /NAS/home/tbeaudry: Key has expired
> >
> >
> >
> >
> > From my krb5.conf
> >
> > [libdefaults]
> > default_realm = CONCORDIA.CA
> > dns_lookup_realm = true
> > dns_lookup_kdc = true
> > ticket_lifetime = 10m
> > renew_lifetime = 7d
> >
> >
> >
> > From my sssd.conf
> >
> > [domain/concordia.ca]
> > ad_domain = concordia.ca
> > krb5_realm = CONCORDIA.CA
> > realmd_tags = manages-system joined-with-adcli
> > cache_credentials = True
> > id_provider = ad
> > krb5_store_password_if_offline = True
> > default_shell = /bin/bash
> > ldap_id_mapping = True
> > #use_fully_qualified_names = True
> > override_homedir = /NAS/home/%u
> > fallback_homedir = /home/%u
> > access_provider = ad
> > debug_level=7
> > ignore_group_members=True
> > krb5_renewable_lifetime = 7d
> > krb5_renew_interval = 2m
> >
> > Thanks!
> > Thomas
> >
> >
>
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org