I've been working with SSSD for a good while and I could have sworn I knew how to get this working, but....
Login on workstations via GDM and my Kerberos tickets get renewed automatically. As I type this, I realize that I do lock/unlock my screen at least once a day. My tickets never seem to expire on my workstation. >From my workstation, I ssh to a server with sssd enabled authentication >(Ubuntu bionic on both ends). I use a different account on the remote server >and am asked for a password. Ssh is configured to use PAM and has it's own >password authentication disabled. (PasswordAuthentication no; UsePAM yes; >ChallengeResponseAuthentication yes). Home folders are kerberized NFS and >upon initial login, all is well. However the ticket for this session never >renews on its own. sudo will refresh the ticket. It's about the only other >thing we have sssd enable for besides ssh. Without any sudo activity, the >Kerberos ticket expires and we lose access to home folders. Current >workaround is a user cron job that tries to refresh the key every hour. I >have to sudo on this server several times a day so my tickets were being >renewed. CO-workers don't have sudo access and they are the ones losing their >tickets. Is my assumption that one should be able to ssh to a server and have that server refresh tickets (like on a workstation) a valid one? If so, where should I concentrate my efforts to get this working? Thanks to all in this group. [cid:image001.jpg@01D592E5.F6CEED20]<https://f5.com/> Jay McCanta | Principal Systems Administrator D +1 (206) 272-7998 M +1-206-434-1080
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
