Patrick, kinit -k acquires a new fresh TGT ticket.
kinit -R renews an existing TGT ticket (if it's not already expired). Even if renewed, "renew until" doesn't change (usually 7 days). None of these are updating any computer account password on AD. That's an AD-specific requirement, that machines update their machine account passwords every 40 days or be locked out. sssd wakes up every 24 hrs by default (controlled by ad_machine_account_password_renewal_opts). It checks to see if machine account password is older than ad_maximum_machine_account_password_age (default 30 days). If it's < 30 days, sssd do nothing. If 31 days or greater, it calls adcli update with various flags. to update the machine account password. Spike On Tue, Sep 7, 2021 at 9:53 AM Patrick Goetz <pgo...@math.utexas.edu> wrote: > > > On 9/6/21 4:49 AM, Sumit Bose wrote: > > Am Thu, Sep 02, 2021 at 10:02:54AM -0500 schrieb Patrick Goetz: > >> > >> On 9/2/21 12:49 AM, Sumit Bose wrote: > >>> The reason is that 'kinit -k' constructs the principal by calling > >>> gethostname() or similar, adding the 'host/' prefix and the realm. But > >>> by default this principal in AD is only a service principal can cannot > >>> be used to request a TGT as kinit does. AD only allows user principals > >>> for request a TGT and this is by default 'SHORT$@AD.REALM'. If the > >>> userPrincipalName attribute is set, this principal given here is > allowed > >>> as well. > >>> > >> > >> This raises a couple of questions. Because of AD's flat address space, > we > >> use a host naming convention in AD as a sort of low rent namespacing; > so, > >> for example, for this host the college is cns and the research group > cryo, > >> so the AD hostname is cns-cryo-ross1$ > >> > >> However, > >> > >> # hostname > >> rossmann.biosci.utexas.edu > >> > >> > >> which is easier for the users to remember for ssh purposes. We set > >> > >> ad_hostname = cns-cryo-ross1.austin.utexas.edu > >> > >> in /etc/sssd/sssd.conf. > >> > >> But I just checked, and kinit does not use ad_hostname, so I have to > run it > >> as > >> > >> kinit -k -R cns-cryo-ross1$ > >> > >> The question is, then what does use the ad_hostname key/value pair? > >> > >> Next, the kinit example provided by Spike was `kinit -k` -- we always > run > >> `kinit -k -R` > >> > >> -R renews the TGT, which is what I thought is the thing set to expire > in AD > >> that needs to be periodically renewed. What's the purpose of running > `kinit > >> -k` without the -R? > > > > Hi, > > > > there are two different things. > > > > First, there are the host keys in the keytab which are equivalent to a > > user password. Those keys are renewed by 'adcli update' if they are > > older then 30 days, similar as you would renew you user password if the > > AD DC tells you to do it. > > > > Second, with those keys you can request a Kerberos TGT > > > > kinit -k 'shortname$' > > > > I thought, based on the kinit man page, that the -k flag is just an > ordinary ticket request and that you need to add the -R flag to request > a TGT. What you're saying is it also renews the TGT? > > OTOH I thought `kinit -k` was updating the computer account password on > the domain controller, but that doesn't seem to be the case, in which > case I'm not even sure what the purpose of an ordinary (non-TGT) ticket > is if you're not requesting automatic login to some specifically > requested service. > > Also, just to make sure I'm clear on this, the "renew until" doesn't > change because this is based on the computer account password > expiration, and further that sssd runs `adcli update` for you > periodically? How often, by the way? > > > > as you can do with your user password: > > > > kinit user@REALM > > Password for user@REALM > > > > This TGT has a lifetime and it might have a renewal time as well: > > > > # klist > > Ticket cache: KCM:0:69840 > > Default principal: administra...@child.ad.vm > > > > Valid starting Expires Service principal > > 09/06/2021 09:39:28 09/06/2021 19:39:28 krbtgt/child.ad...@child.ad.vm > > renew until 09/07/2021 09:39:24 > > > > > > In the example above the TGT will expire at '09/06/2021 19:39:28' but > > can be renewed until '09/07/2021 09:39:24'. This means that if you call > > > > kinit -R > > > > before '09/06/2021 19:39:28' you will get a fresh TGT without entering > > your password. The new TGT will have a new lifetime but 'renew until' > > will stay the same. After '09/07/2021 09:39:24' 'kinit -R' will not work > > anymore and you have to enter your password again. It does not matter > > here if the TGT was originally requested with a keytab with 'kinit -k' > > or with plain 'kinit' and a password. > > > > However, since the keytab is present in the file system calling > > > > kinit -k 'shortname$' > > > > will always get a fresh TGT without manual intervention. So in case you > > have a valid keytab this is even more flexible than 'kinit -R' > > > > HTH > > > > bye, > > Sumit > > > >> > >> _______________________________________________ > >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org > >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > >> Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >> List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > >> Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > _______________________________________________ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > >>> This message is from an external sender. Learn more about why this << > >>> matters at https://links.utexas.edu/rtyclf. << > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
