[Freeipa-users] IPA certificates expired, please help!
Jakub Hrozek
jhrozek at redhat.com
Fri Jul 22 14:31:29 UTC 2016
On Fri, Jul 22, 2016 at 09:36:27AM -0400, Linov Suresh wrote:
> I'm facing another issue now, my kerberos tickets are not renewing,
In general I think it's better to start separate threads about separate
issues. That way people who only scan the subject lines can see if this
thread is something they can help with :)
>
> *[root at caer ~]# ipa cert-show 1*
> ipa: ERROR: Ticket expired
>
> *[root at caer ~]# klist*
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at TELOIP.NET
>
> Valid starting Expires Service principal
> 07/20/16 14:42:26 07/21/16 14:42:22 krbtgt/TELOIP.NET at TELOIP.NET
> 07/20/16 14:42:36 07/21/16 14:42:22 HTTP/caer.teloip.net at TELOIP.NET
> 07/21/16 11:40:15 07/21/16 14:42:22 ldap/caer.teloip.net at TELOIP.NET
>
> I need to manually renew the tickets every day,
>
> *[root at caer ~]# kinit admin*
> Password for admin at TELOIP.NET:
> Warning: Your password will expire in 6 days on Thu Jul 28 15:20:15 2016
>
> *[root at caer ~]# klist *
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin at TELOIP.NET
>
> Valid starting Expires Service principal
> 07/22/16 09:34:52 07/23/16 09:34:49 krbtgt/TELOIP.NET at TELOIP.NET
The first thing to keep in mind is that SSSD only renews tickets it
'knows about', so tickets that were acquired through SSSD, not directly
with kinit.
For options about renewing SSSD-acquired tickets, see man sssd-krb5 and
search for renew.
More information about the Freeipa-users
mailing list