sssd auto refresh of keytab entries? - sssd-users - Fedora Mailing-Lists

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd auto refresh of keytab entries?

p11_child fails to obtain...

user id getting lost

Joakim Tjernlund

Friday, 2 June 2017 Fri, 2 Jun '17

4:11 a.m.

Vi are seeing extra keytab entries in krb5.keytab here and there: klist -k .... 11 host/GENTOO64(a)INFINERA.COM 12 host/GENTOO64(a)INFINERA.COM ... I suspect sssd has added them, but why? and how? Jocke

Reply

Show replies by thread

Sumit Bose

Friday, 2 June Fri, 2 Jun

4:37 a.m.

On Fri, Jun 02, 2017 at 09:11:13AM +0000, Joakim Tjernlund wrote:

Vi are seeing extra keytab entries in krb5.keytab here and there: klist -k .... 11 host/GENTOO64(a)INFINERA.COM 12 host/GENTOO64(a)INFINERA.COM ... I suspect sssd has added them, but why? and how?

If this is an AD client SSSD will try to use adcli to renew the machine account password every 30 days as Windows clients do, see ad_maximum_machine_account_password_age and ad_machine_account_password_renewal_opts in man sssd-ad for details. HTH bye, Sumit > > Jocke > _______________________________________________ > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org

Reply

Joakim Tjernlund

5:36 a.m.

On Fri, 2017-06-02 at 11:37 +0200, Sumit Bose wrote:

On Fri, Jun 02, 2017 at 09:11:13AM +0000, Joakim Tjernlund wrote: > Vi are seeing extra keytab entries in krb5.keytab here and there: > klist -k > .... > 11 host/GENTOO64(a)INFINERA.COM > 12 host/GENTOO64(a)INFINERA.COM > ... > > I suspect sssd has added them, but why? and how? If this is an AD client SSSD will try to use adcli to renew the machine account password every 30 days as Windows clients do, see ad_maximum_machine_account_password_age and ad_machine_account_password_renewal_opts in man sssd-ad for details.

I see, thanks. sssd does not seem to clean out the old entries though, efter after some time. Is it really necessary to refresh all keytab keys periodically ? Jocke

Reply

Sumit Bose

6:16 a.m.

On Fri, Jun 02, 2017 at 10:36:40AM +0000, Joakim Tjernlund wrote:

On Fri, 2017-06-02 at 11:37 +0200, Sumit Bose wrote: > On Fri, Jun 02, 2017 at 09:11:13AM +0000, Joakim Tjernlund wrote: > > Vi are seeing extra keytab entries in krb5.keytab here and there: > > klist -k > > .... > > 11 host/GENTOO64(a)INFINERA.COM > > 12 host/GENTOO64(a)INFINERA.COM > > ... > > > > I suspect sssd has added them, but why? and how? > > If this is an AD client SSSD will try to use adcli to renew the machine > account password every 30 days as Windows clients do, see > ad_maximum_machine_account_password_age and > ad_machine_account_password_renewal_opts in man sssd-ad for details. I see, thanks. sssd does not seem to clean out the old entries though, efter after some time.

It is expected that adcli keeps only the new and the last valid entry.

Is it really necessary to refresh all keytab keys periodically ?

It depends on your environment. There are some tools for Windows which determine if a client is still active or can be removed from AD by checking when the machine account password was renewed the last time. But if this is not used in your environment you can disable it. bye, Sumit > > Jocke > _______________________________________________ > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org

Reply

Mote, Todd

Monday, 5 June Mon, 5 Jun

2:18 p.m.

Only adcli versions later than 0.8.1 do this. Todd -----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: Friday, June 2, 2017 6:17 AM To: sssd-users(a)lists.fedorahosted.org Subject: [SSSD-users] Re: sssd auto refresh of keytab entries? On Fri, Jun 02, 2017 at 10:36:40AM +0000, Joakim Tjernlund wrote:

On Fri, 2017-06-02 at 11:37 +0200, Sumit Bose wrote: > On Fri, Jun 02, 2017 at 09:11:13AM +0000, Joakim Tjernlund wrote: > > Vi are seeing extra keytab entries in krb5.keytab here and there: > > klist -k > > .... > > 11 host/GENTOO64(a)INFINERA.COM > > 12 host/GENTOO64(a)INFINERA.COM > > ... > > > > I suspect sssd has added them, but why? and how? > > If this is an AD client SSSD will try to use adcli to renew the > machine account password every 30 days as Windows clients do, see > ad_maximum_machine_account_password_age and > ad_machine_account_password_renewal_opts in man sssd-ad for details. I see, thanks. sssd does not seem to clean out the old entries though, efter after some time.

It is expected that adcli keeps only the new and the last valid entry.

Is it really necessary to refresh all keytab keys periodically ?

It depends on your environment. There are some tools for Windows which determine if a client is still active or can be removed from AD by checking when the machine account password was renewed the last time. But if this is not used in your environment you can disable it. bye, Sumit

Jocke _______________________________________________ sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org

_______________________________________________ sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org

Reply

2516

days inactive

2519

days old

sssd-users@lists.fedorahosted.org

Manage subscription

4 comments

3 participants

tags (0)

participants (3)

Joakim Tjernlund
Mote, Todd
Sumit Bose