[Freeipa-users] Laptop user
Jakub Hrozek
jhrozek at redhat.com
Thu Nov 20 09:35:30 UTC 2014
On Thu, Nov 20, 2014 at 05:19:57PM +0800, Thomas Lau wrote:
> What will happen if laptop haven't turn on for a long time and ticket
> expired with cache and store password enabled? Does user unable to login
> after expired?
SSSD doesn't use the ticket to authenticate in offline case, so sssd
doesn't really care the ticket expired.
Rather, when cache_credentials is enabled, we store a hash of the user's
password in the cache and if offline, compare what the user entered
with the stored hash.
By default, the cache password hash never expires, unless you configure
sssd to do so with offline_credentials_expiration
>
> On Thu, Nov 20, 2014 at 5:10 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:
>
> > On Thu, Nov 20, 2014 at 05:04:02PM +0800, Thomas Lau wrote:
> > > Does anyone know what's the behavior look like if a mobile user (laptop)
> > > being disconnected from Kerberos for too long even cache is enabled by
> > > default in our environment?
> >
> > SSSD caches the user data and if cache_credentials is enabled, then also
> > a salted password hash to enable offline logins.
> >
> > Your TGT will eventually expire, but that hardly matters since you're
> > offline. When you reconnect to the network, you can either run kinit
> > manually, or for better user experience enable
> > krb5_store_password_if_offline
> > to keep your password in the kernel keyring and let sssd kinit on your
> > behalf when it detects you've gone online again.
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go To http://freeipa.org for more info on the project
> >
More information about the Freeipa-users
mailing list