On Fri, 2017-06-02 at 11:37 +0200, Sumit Bose wrote:
On Fri, Jun 02, 2017 at 09:11:13AM +0000, Joakim Tjernlund wrote:
> Vi are seeing extra keytab entries in krb5.keytab here and there:
> klist -k
> ....
> 11 host/GENTOO64(a)INFINERA.COM
> 12 host/GENTOO64(a)INFINERA.COM
> ...
>
> I suspect sssd has added them, but why? and how?
If this is an AD client SSSD will try to use adcli to renew the machine
account password every 30 days as Windows clients do, see
ad_maximum_machine_account_password_age and
ad_machine_account_password_renewal_opts in man sssd-ad for details.
I see, thanks.
sssd does not seem to clean out the old entries though, efter after some time.
Is it really necessary to refresh all keytab keys periodically ?
Jocke