[Freeipa-users] How to renew kerberos tickets without user intervation?
Rob Crittenden
rcritten at redhat.com
Tue Jun 14 11:57:56 UTC 2016
Matrix wrote:
> HI, All
>
> IPA server was installed on ipaserver.dev.example.net
>
> A user 'ads' in IPA will periodically 'rsync' files from ipaclient1 to
> ipaclient2. I found that rsync cronjobs will be failed once 'ads'
> kerberos ticket has been expired.
>
> I would like to renew kerberos tickets before expiration without user
> intervation, but failed.
>
> krb configuration:
>
> # cat /etc/krb5.conf
> includedir /var/lib/sss/pubconf/krb5.include.d/
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = EXAMPLE.NET
> dns_lookup_realm = false
> dns_lookup_kdc = true
> rdns = false
> ticket_lifetime = 24h
> forwardable = yes
> udp_preference_limit = 0
> default_ccache_name = KEYRING:persistent:%{uid}
> renew_lifetime = 7d
>
> [realms]
> EXAMPLE.NET = {
> kdc = ipaserver.dev.example.net:88
> master_kdc = ipaserver.dev.example.net:88
> admin_server = ipaserver.dev.example.net:749
> default_domain = example.net
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> }
>
> [domain_realm]
> .example.net = EXAMPLE.NET
> example.net = EXAMPLE.NET
>
> [dbmodules]
> EXAMPLE.NET = {
> db_library = ipadb.so
> }
>
> When I was trying to renew kerberos ticket from client1, error message
> was shown as :
> $ kinit -R
> kinit: KDC can't fulfill requested option while renewing credentials
>
> And logs from ipa server:
> # tailf /var/log/krb5kdc.log
> ......
> Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): TGS_REQ
> (6 etypes {18 17 16 23 25 26}) 192.168.11.235: TICKET NOT RENEWABLE:
> authtime 0, ads at EXAMPLE.NET for krbtgt/EXAMPLE.NET at EXAMPLE.NET, KDC
> can't fulfill requested option
> Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): closing
> down fd 10
> ......
>
> any suggestions would be appreciated.
>
Please see the list archives, for example
https://www.redhat.com/archives/freeipa-users/2016-June/msg00176.html
rob
More information about the Freeipa-users
mailing list