[Freeipa-users] How to renew kerberos tickets without user intervation?
Matrix
matrix.zj at qq.com
Tue Jun 14 06:23:23 UTC 2016
HI, All
IPA server was installed on ipaserver.dev.example.net
A user 'ads' in IPA will periodically 'rsync' files from ipaclient1 to ipaclient2. I found that rsync cronjobs will be failed once 'ads' kerberos ticket has been expired.
I would like to renew kerberos tickets before expiration without user intervation, but failed.
krb configuration:
# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.NET
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
renew_lifetime = 7d
[realms]
EXAMPLE.NET = {
kdc = ipaserver.dev.example.net:88
master_kdc = ipaserver.dev.example.net:88
admin_server = ipaserver.dev.example.net:749
default_domain = example.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.net = EXAMPLE.NET
example.net = EXAMPLE.NET
[dbmodules]
EXAMPLE.NET = {
db_library = ipadb.so
}
When I was trying to renew kerberos ticket from client1, error message was shown as :
$ kinit -R
kinit: KDC can't fulfill requested option while renewing credentials
And logs from ipa server:
# tailf /var/log/krb5kdc.log
......
Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.11.235: TICKET NOT RENEWABLE: authtime 0, ads at EXAMPLE.NET for krbtgt/EXAMPLE.NET at EXAMPLE.NET, KDC can't fulfill requested option
Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): closing down fd 10
......
any suggestions would be appreciated.
Best Regards
Matrix
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160614/e26e7914/attachment.htm>
More information about the Freeipa-users
mailing list