[Freeipa-users] How to renew kerberos tickets without user intervation?

[Matrix]

HI, All

IPA server was installed on ipaserver.dev.example.net

A user 'ads' in IPA will periodically 'rsync' files from ipaclient1 to ipaclient2. I found that rsync cronjobs will be failed once 'ads' kerberos ticket has been expired. 

I would like to renew kerberos tickets before expiration without user intervation, but failed. 

krb configuration: 

# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.NET
 dns_lookup_realm = false
 dns_lookup_kdc = true
 rdns = false
 ticket_lifetime = 24h
 forwardable = yes
 udp_preference_limit = 0
 default_ccache_name = KEYRING:persistent:%{uid}
 renew_lifetime = 7d

[realms]
 EXAMPLE.NET = {
  kdc = ipaserver.dev.example.net:88
  master_kdc = ipaserver.dev.example.net:88
  admin_server = ipaserver.dev.example.net:749
  default_domain = example.net
  pkinit_anchors = FILE:/etc/ipa/ca.crt
}

[domain_realm]
 .example.net = EXAMPLE.NET
 example.net = EXAMPLE.NET

[dbmodules]
  EXAMPLE.NET = {
    db_library = ipadb.so
  }

When I was trying to renew kerberos ticket from client1, error message was shown as :
$ kinit -R
kinit: KDC can't fulfill requested option while renewing credentials

And logs from ipa server: 
# tailf /var/log/krb5kdc.log
......
Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.11.235: TICKET NOT RENEWABLE: authtime 0,  ads at EXAMPLE.NET for krbtgt/EXAMPLE.NET at EXAMPLE.NET, KDC can't fulfill requested option
Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): closing down fd 10
......

any suggestions would be appreciated. 

Best Regards

Matrix
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160614/e26e7914/attachment.htm>