[debian-lan-devel] nfs4's Kerberos ticket expiration hangs user processes
Julien Lambot
jlambot at gmail.com
Fri Sep 27 08:51:51 UTC 2013
Hi Andi
I'm quite noob on Kerberos/Nfs, at least :)
In order to adapt the ticket lifetime, I tried to adapt the krb5.conf's
libdefault on both server and clients without succes.
Eg.:
[libdefaults]
default_realm = INTERN
ticket_lifetime = 86400
and also the /etc/krb5kdc/kdc.conf
[realms]
INTERN = {
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 24h 0m 0s
max_renewable_life = 7d 0h 0m 0s
So I dig a bit into kadmin, with more success (everything seems to work
fine)
kadmin: modprinc -maxlife 1days -maxrenewlife 1days +allow_renewable
krbtgt/INTERN at INTERN
Though, to make sure everything is ok for workstations, users and nfs,
shall I also update principals like :
host/mainserver.intern at INTERN
nfs/mainserver.intern at INTERN
nfs/workstation00.intern at INTERN
host/workstation00.intern at INTERN
user at INTERN
I'm quite confused at this level.
Thanks for your advice.
Julien
On Thu, Sep 12, 2013 at 12:30 PM, Julien Lambot <jlambot at gmail.com> wrote:
> Hi Andreas
> I'll do that, with a one week limit (I dislike that but, users are lazy).
>
> I continue with testings, before the next install (another 24 computers
> lan)
>
> Regards
>
>
> On Thu, Sep 12, 2013 at 11:48 AM, Andreas B. Mundt <andi.mundt at web.de>wrote:
>
>> Hi Julien,
>>
>> On Wed, Sep 11, 2013 at 02:30:44PM +0200, Julien Lambot wrote:
>> >
>> > I faced multiple issues concerning the above subject.
>> >
>> > It's related to
>> http://lists.debian.org/debian-kernel/2011/11/msg00509.html
>> > As this is a rather old issue, is there another way to circumvent it?
>> >
>> > The current nfs-common implementation of gssd doesn't support the "-e"
>> > option and therefore when ticket expires (mostly when workstation is
>> left
>> > idle for a long time and screensaver is activated) the user can't logon
>> > anymore.
>> >
>> > If there isn't any other way, I'll try the patch.
>>
>> To work around the expiring ticket (10h lifetime by default) you could
>> increase that time. Of course this does not help when people stay
>> logged in for days or even weeks.
>>
>> Best regards,
>>
>> Andi
>>
>> _______________________________________________
>> debian-lan-devel mailing list
>> debian-lan-devel at lists.alioth.debian.org
>> http://lists.alioth.debian.org/mailman/listinfo/debian-lan-devel
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/debian-lan-devel/attachments/20130927/a35c7a2b/attachment.html>
More information about the debian-lan-devel
mailing list