On (22/05/17 14:53), Joakim Tjernlund wrote:
>> The time is not synchronised between client and server.
>> MIT krb5 can handle small offset. But I would highly recommends
>> to keep time in sync.
>
>There is some time problem on and off but this has never been too much. I don't
>think this was the root problem here ?
>
As I already mention I would highly recommend to keep time in sync.
It will reduce possible errors.
Configure ntpd/chrony on client and server is not a rocket science :-)
>> Renewing of a ticket failed because it is already expired.
>> Maybe due to time shift between client and server(KDC)
>
>Yes, it is expired to begin with. I got a ticket, then suspended the computer
>long enough for
>the ticket to expire(10 hours here) and then woke up and unlocked the screen.
>The problem is that sssd never tries to get a new ticket using my creds I gave
>when unlocking.
>Even if I do several lock/unlocks after the network is restored, sssd will not
>get me a new ticket.
>
sssd would get new ticket if it was in online mode.
But it offline mode.
I would highly recommend to keep time in sync with server
and then debug why sssd was in offline mode.
Or why it went to offline mode.
With 1.15 you can use sssctl e.g.
sssctl domain-status example.com
Online status: Online
Active servers:
KPASSWD: not connected
KERBEROS: not connected
LDAP: ldap.abc.example.com
Discovered KPASSWD servers:
- kerberos.abc.example.com
Discovered KERBEROS servers:
- kerberos.abc.example.com
Discovered LDAP servers:
- ldap.abc.example.com
- ldap.corp.example.com
LS
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
