<div dir="ltr"><div><div><div><div><div><div><div><div>Hi Andi<br><br></div>I'm quite noob on Kerberos/Nfs, at least :)<br></div>In order to adapt the ticket lifetime, I tried to adapt the krb5.conf's libdefault on both server and clients without succes.<br>
</div>Eg.: <br>[libdefaults]<br> default_realm = INTERN<br> ticket_lifetime = 86400<br><br></div>and also the /etc/krb5kdc/kdc.conf<br>[realms]<br> INTERN = {<br> admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab<br>
acl_file = /etc/krb5kdc/kadm5.acl<br> key_stash_file = /etc/krb5kdc/stash<br> kdc_ports = 750,88<br> max_life = 24h 0m 0s<br> max_renewable_life = 7d 0h 0m 0s<br><br></div>So I dig a bit into kadmin, with more success (everything seems to work fine)<br>
<style type="text/css">PRE.cjk { font-family: "Droid Sans Fallback",monospace; }PRE.ctl { font-family: "FreeSans",monospace; }P { margin-bottom: 0.21cm; }A:link { }</style>
<pre class="">kadmin: modprinc -maxlife 1days -maxrenewlife 1days +allow_renewable krbtgt/INTERN@INTERN
</pre>
Though, to make sure everything is ok for workstations, users and nfs, shall I also update principals like :<br><br>host/mainserver.intern@INTERN<br>nfs/mainserver.intern@INTERN<br>nfs/workstation00.intern@INTERN<br>host/workstation00.intern@INTERN<br>
</div>user@INTERN<br><br></div>I'm quite confused at this level.<br><br>Thanks for your advice.<br><br></div>Julien<br><div><div><div><div><div><div><br></div></div></div></div></div></div></div><div class="gmail_extra">
<br><br><div class="gmail_quote">On Thu, Sep 12, 2013 at 12:30 PM, Julien Lambot <span dir="ltr"><<a href="mailto:jlambot@gmail.com" target="_blank">jlambot@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div><div><div>Hi Andreas<br></div>I'll do that, with a one week limit (I dislike that but, users are lazy).<br><br></div>I continue with testings, before the next install (another 24 computers lan)<br>
<br>
</div>Regards<br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Sep 12, 2013 at 11:48 AM, Andreas B. Mundt <span dir="ltr"><<a href="mailto:andi.mundt@web.de" target="_blank">andi.mundt@web.de</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Julien,<br>
<div><div><br>
On Wed, Sep 11, 2013 at 02:30:44PM +0200, Julien Lambot wrote:<br>
><br>
> I faced multiple issues concerning the above subject.<br>
><br>
> It's related to <a href="http://lists.debian.org/debian-kernel/2011/11/msg00509.html" target="_blank">http://lists.debian.org/debian-kernel/2011/11/msg00509.html</a><br>
> As this is a rather old issue, is there another way to circumvent it?<br>
><br>
> The current nfs-common implementation of gssd doesn't support the "-e"<br>
> option and therefore when ticket expires (mostly when workstation is left<br>
> idle for a long time and screensaver is activated) the user can't logon<br>
> anymore.<br>
><br>
> If there isn't any other way, I'll try the patch.<br>
<br>
</div></div>To work around the expiring ticket (10h lifetime by default) you could<br>
increase that time. Of course this does not help when people stay<br>
logged in for days or even weeks.<br>
<br>
Best regards,<br>
<br>
Andi<br>
<br>
_______________________________________________<br>
debian-lan-devel mailing list<br>
<a href="mailto:debian-lan-devel@lists.alioth.debian.org" target="_blank">debian-lan-devel@lists.alioth.debian.org</a><br>
<a href="http://lists.alioth.debian.org/mailman/listinfo/debian-lan-devel" target="_blank">http://lists.alioth.debian.org/mailman/listinfo/debian-lan-devel</a><br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>