[Freeipa-users] How to change kerberos key lifetime?
William Muriithi
william.muriithi at gmail.com
Thu Mar 2 02:46:54 UTC 2017
Hello David/Lukas
Thank you for your assistance so far. I still have the problem and not
even sure what to look at next. We are still seeing key expiry error
from NFS even after the proposed changes.
[william at silicon ~]$ ssh iron
Last login: Wed Mar 1 19:26:56 2017 from silicon.eng.example.com
Could not chdir to home directory /home/william: Key has expired
[william at iron /]$
[rtdamgr at silicon ~]$ ssh manganese
Last login: Wed Mar 1 19:26:57 2017 from silicon.eng.example.com
Could not chdir to home directory /home/william: Permission denied
[william at manganese /]$
[william at silicon ~]$ ssh iron
Last login: Wed Mar 1 19:58:36 2017 from manganese.eng.example.com
DISPLAY is manganese:2
[william at iron ~]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_800
These are the changes that I currently have on my sssd.conf
[domain/eng.example.com]
krb5_realm = ENG.EXAMPLE.COM
krb5_server = hydrogen.eng.example.com
auth_provider = krb5
krb5_renewable_lifetime = 50d
krb5_renew_interval = 3600
cache_credentials = True
krb5_store_password_if_offline = True
According to this article, this change would ensure that the system
auto renew the keys for the next 50 days. Why would this key expiry
still show up?
http://people.redhat.com/steved/Summits/Summit13/Summit_Handout13.pdf
One side question, that is the difference between "auth_provider =
krb5" and "auth_provider = ipa"? In another word, what is expected
different between the two as far as IPA usage is concerned and what
would make one choose one over the other?
Regards,
William
On 17 February 2017 at 09:56, Lukas Slebodnik <lslebodn at redhat.com> wrote:
> On (16/02/17 18:05), William Muriithi wrote:
>>> The fact that your desktops are using SSSD changes the situation dramatically.
>>>
>>> SSSD (with ipa or krb5 provider) obtains ticket for user when he is logging-in.
>>> And can be configured to renew the ticket for the user until the ticket renew
>>> life time expires.
>>>
>>> Given this you can keep ticket life time reasonable short (~1 day) set ticket
>>> renewable life time to longer period (~2 weeks) and maintain reasonable
>>> security level without negative impact on user's daily work.
>>>
>>> Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options
>>> in sssd-krb5 man page.
>>>
>>Thanks a lot. I did actually end up using this. Will wait for a
>>couple of days and see if anybody if the situation is better and
>>update you.
>>
>>Curious though, why isn't renewal interval setup by default? Is there
>>a negative consequence of having SSSD renewing tickets by default? I
>>can't think of any and hence a bit lost on explaining the default
>>setup
>
> Desktop/laptop user usually does not need automatic renewal.
> They authenticate/login/unlock screen quite often and for each
> action sssd authenticate against IPA server which automatically get/renew
> krb5 ticket. Unless machine is offline.
>
> LS
More information about the Freeipa-users
mailing list