adding sssd-devel On Thu, Aug 11, 2011 at 10:14:09AM +0200, Tim Niemueller wrote: > Hi all. > > We have setup FreeIPA on a F-15 virtual machine. I'm currently > testing with a F-14 client. We would like to keep F-14, as F-15 > seems not generally stable enough for wide deployment (graphics > issues etc.). I have described the setup a bit at > http://www.niemueller.de/blog/id/245, which was possible only > through numerous IRC sessions on #freeipa. This issue here seems a > little more long-standing, hence the mail this time. > > I'm having a hard time getting the setup running reliably. Initial > login and desktop use works fine. But a typical use case is leaving > the desktop running overnight with just the screen locked (there > might be stuff running in the background). Now, if I return the next > day and try to use the machine the machine is frozen and cannot be > used. Tickets have not been renewed, in particular the one for the > NFSv4 server protected by Kerbero (sec=krb5). It just expired after > 24h. > > The problem can be recreated quickly with a shorter 5 minute > lifetime with the following modifications (on the client). > > This assumes that you have /home mounted via Kerberos-protected NFSv4 share! > > In /etc/sssd/sssd.conf: > [domain/somedomain] > krb5_renewable_lifetime = 14d > krb5_renew_interval = 60 > krb5_lifetime = 5m > > [domain/default] > krb5_renewable_lifetime = 14d > krb5_renew_interval = 60 > krb5_lifetime = 5m > > Then reboot (just restarting sssd does not always show the problem, > especially if you had been logged in before). > Then login and wait five minutes, the machine freezes, as the NFS > key has expired. If you do a klist just before the timeout expires, > you see that the keys have not been renewed as expected (but the > renewable end time is still way in the future, even if the FreeIPA > server default of 7d was not increased). Maybe I need to set some > magic flag for rpc.gssd, but I couldn't find it.
Which version of sssd are you using? Does it work is you manually call 'kinit -R' before the ticket expires? Can you send a sanitized version of the sssd log files with debug_level=9? bye, Sumit > > Is there something I can do on my side to get this working? Or is it > a FreeIPA or sssd shortcoming, or even "intended not to work by > design"? > > Ideally, I want to make it possible for users to just keep logged in > all the time, so even acquiring new tickets automatically by > requesting an intermediate user authentication or just doing it from > the screensaver would be great, but I guess with /home mounted I'm > pretty much out of luck? Is there alternatively a way to only > authenticate the host via krb5, but not the user? In the old days we > would simply use IP addresses to allow access. Well, that's bad, but > having just the host authenticate to prevent laptop road warriors > from snooping around could be just enough for us and avoid user > ticket renewal, any idea? > > Thanks for your input. > Tim > > -- > KBSG - Knowledge-Based Systems Group AllemaniACs RoboCup Team > ======================================================================== > http://robocup.rwth-aachen.de RWTH Aachen University > http://kbsg.rwth-aachen.de Ahornstrasse 55 > http://www.fawkesrobotics.org D-52056 Aachen > > _______________________________________________ > Freeipa-users mailing list > freeipa-us...@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel