[Freeipa-users] Laptop user

Thomas Lau tlau at tetrioncapital.com
Thu Nov 20 09:36:14 UTC 2014


Thanks, that solve my concern!

On Thu, Nov 20, 2014 at 5:35 PM, Jakub Hrozek <jhrozek at redhat.com> wrote:

> On Thu, Nov 20, 2014 at 05:19:57PM +0800, Thomas Lau wrote:
> > What will happen if laptop haven't turn on for a long time and ticket
> > expired with cache and store password enabled? Does user unable to login
> > after expired?
>
> SSSD doesn't use the ticket to authenticate in offline case, so sssd
> doesn't really care the ticket expired.
>
> Rather, when cache_credentials is enabled, we store a hash of the user's
> password in the cache and if offline, compare what the user entered
> with the stored hash.
>
> By default, the cache password hash never expires, unless you configure
> sssd to do so with offline_credentials_expiration
>
>
> >
> > On Thu, Nov 20, 2014 at 5:10 PM, Jakub Hrozek <jhrozek at redhat.com>
> wrote:
> >
> > > On Thu, Nov 20, 2014 at 05:04:02PM +0800, Thomas Lau wrote:
> > > > Does anyone know what's the behavior look like if a mobile user
> (laptop)
> > > > being disconnected from Kerberos for too long even cache is enabled
> by
> > > > default in our environment?
> > >
> > > SSSD caches the user data and if cache_credentials is enabled, then
> also
> > > a salted password hash to enable offline logins.
> > >
> > > Your TGT will eventually expire, but that hardly matters since you're
> > > offline. When you reconnect to the network, you can either run kinit
> > > manually, or for better user experience enable
> > > krb5_store_password_if_offline
> > > to keep your password in the kernel keyring and let sssd kinit on your
> > > behalf when it detects you've gone online again.
> > >
> > > --
> > > Manage your subscription for the Freeipa-users mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> > > Go To http://freeipa.org for more info on the project
> > >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141120/31f5d319/attachment.htm>


More information about the Freeipa-users mailing list