On Wed, Oct 18, 2017 at 10:00:35AM +0200, Michael Löffler wrote: > Dear SSSD Users, > > I have a question regarding the renewal of Kerberos tickets within a Samba > AD. All servers and clients are running Ubuntu 16.04. We have a lot of > Windows clients too; therefore we're using Samba. First of all, I'll > summarize our setup: > > - One server acts as the Samba AD Host (and Kerberos (integrated in Samba) > principal) > - One server acts as a file server; all directories (the users' home > directories as well) are exported via kerberized NFS > - The clients mount the directories; login auth is realized using sssd (with > id_provider = ad, auth_provider = ad and access_provider = ad) > > When a user logs in at a client, he gets a Kerberos ticket and is therefore > granted access to his home directory. If he locks the screen and logs in > again, the ticket is renewed. However, if the user keeps the client locked > for a time greater than the ticket lifetime, the ticket expires and the user > is not able to write to his home directory any more. That's a problem if the > user is, for example, running a process which takes a long time (in our case > mostly simulations which are usually run overnight). The same things happens > if a user connects to a client via ssh. Then, the ticket is never renewed > automatically. > > Is it somehow possible to configure that sssd renews the krb5 ticket if the > user has active processes running? > > Regards > Michael
Yes, please check man sssd-krb5 and the option that include 'renew' in their name, e.g. "krb5_renewable_lifetime". But please note that only tickets acquired through SSSD will be renewed this way. Tickets acquired through kinit or in other way won't -- that's why we are working on KCM and in particular https://pagure.io/SSSD/sssd/issue/1723 _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
