Am Thu, Sep 02, 2021 at 10:02:54AM -0500 schrieb Patrick Goetz:
>
> On 9/2/21 12:49 AM, Sumit Bose wrote:
> > The reason is that 'kinit -k' constructs the principal by calling
> > gethostname() or similar, adding the 'host/' prefix and the realm. But
> > by default this principal in AD is only a service principal can cannot
> > be used to request a TGT as kinit does. AD only allows user principals
> > for request a TGT and this is by default 'SHORT$@AD.REALM'. If the
> > userPrincipalName attribute is set, this principal given here is allowed
> > as well.
> >
>
> This raises a couple of questions. Because of AD's flat address space, we
> use a host naming convention in AD as a sort of low rent namespacing; so,
> for example, for this host the college is cns and the research group cryo,
> so the AD hostname is cns-cryo-ross1$
>
> However,
>
> # hostname
> rossmann.biosci.utexas.edu
>
>
> which is easier for the users to remember for ssh purposes. We set
>
> ad_hostname = cns-cryo-ross1.austin.utexas.edu
>
> in /etc/sssd/sssd.conf.
>
> But I just checked, and kinit does not use ad_hostname, so I have to run it
> as
>
> kinit -k -R cns-cryo-ross1$
>
> The question is, then what does use the ad_hostname key/value pair?
>
> Next, the kinit example provided by Spike was `kinit -k` -- we always run
> `kinit -k -R`
>
> -R renews the TGT, which is what I thought is the thing set to expire in AD
> that needs to be periodically renewed. What's the purpose of running `kinit
> -k` without the -R?
Hi,
there are two different things.
First, there are the host keys in the keytab which are equivalent to a
user password. Those keys are renewed by 'adcli update' if they are
older then 30 days, similar as you would renew you user password if the
AD DC tells you to do it.
Second, with those keys you can request a Kerberos TGT
kinit -k 'shortname$'
as you can do with your user password:
kinit user@REALM
Password for user@REALM
This TGT has a lifetime and it might have a renewal time as well:
# klist
Ticket cache: KCM:0:69840
Default principal: administra...@child.ad.vm
Valid starting Expires Service principal
09/06/2021 09:39:28 09/06/2021 19:39:28 krbtgt/child.ad...@child.ad.vm
renew until 09/07/2021 09:39:24
In the example above the TGT will expire at '09/06/2021 19:39:28' but
can be renewed until '09/07/2021 09:39:24'. This means that if you call
kinit -R
before '09/06/2021 19:39:28' you will get a fresh TGT without entering
your password. The new TGT will have a new lifetime but 'renew until'
will stay the same. After '09/07/2021 09:39:24' 'kinit -R' will not work
anymore and you have to enter your password again. It does not matter
here if the TGT was originally requested with a keytab with 'kinit -k'
or with plain 'kinit' and a password.
However, since the keytab is present in the file system calling
kinit -k 'shortname$'
will always get a fresh TGT without manual intervention. So in case you
have a valid keytab this is even more flexible than 'kinit -R'
HTH
bye,
Sumit
>
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it:
> https://pagure.io/fedora-infrastructure
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
