Only adcli versions later than 0.8.1 do this.
Todd
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: Friday, June 2, 2017 6:17 AM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: sssd auto refresh of keytab entries?
On Fri, Jun 02, 2017 at 10:36:40AM +0000, Joakim Tjernlund wrote:
On Fri, 2017-06-02 at 11:37 +0200, Sumit Bose wrote:
> On Fri, Jun 02, 2017 at 09:11:13AM +0000, Joakim Tjernlund wrote:
> > Vi are seeing extra keytab entries in krb5.keytab here and there:
> > klist -k
> > ....
> > 11 host/GENTOO64(a)INFINERA.COM
> > 12 host/GENTOO64(a)INFINERA.COM
> > ...
> >
> > I suspect sssd has added them, but why? and how?
>
> If this is an AD client SSSD will try to use adcli to renew the
> machine account password every 30 days as Windows clients do, see
> ad_maximum_machine_account_password_age and
> ad_machine_account_password_renewal_opts in man sssd-ad for details.
I see, thanks.
sssd does not seem to clean out the old entries though, efter after some time.
It is expected that adcli keeps only the new and the last valid entry.
Is it really necessary to refresh all keytab keys periodically ?
It depends on your environment. There are some tools for Windows which determine if a
client is still active or can be removed from AD by checking when the machine account
password was renewed the last time.
But if this is not used in your environment you can disable it.
bye,
Sumit
Jocke
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To
unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email
to sssd-users-leave(a)lists.fedorahosted.org