HI, All
IPA server was installed on ipaserver.dev.example.net
A user 'ads' in IPA will periodically 'rsync' files from ipaclient1 to
ipaclient2. I found that rsync cronjobs will be failed once 'ads' kerberos
ticket has been expired.
I would like to renew kerberos tickets before expiration without user
intervation, but failed.
krb configuration:
# cat /etc/krb5.conf
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.NET
dns_lookup_realm = false
dns_lookup_kdc = true
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
renew_lifetime = 7d
[realms]
EXAMPLE.NET = {
kdc = ipaserver.dev.example.net:88
master_kdc = ipaserver.dev.example.net:88
admin_server = ipaserver.dev.example.net:749
default_domain = example.net
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.net = EXAMPLE.NET
example.net = EXAMPLE.NET
[dbmodules]
EXAMPLE.NET = {
db_library = ipadb.so
}
When I was trying to renew kerberos ticket from client1, error message was
shown as :
$ kinit -R
kinit: KDC can't fulfill requested option while renewing credentials
And logs from ipa server:
# tailf /var/log/krb5kdc.log
......
Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): TGS_REQ (6
etypes {18 17 16 23 25 26}) 192.168.11.235: TICKET NOT RENEWABLE: authtime 0,
[email protected] for krbtgt/[email protected], KDC can't fulfill
requested option
Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): closing down fd
10
......
any suggestions would be appreciated.
Best Regards
Matrix--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
