Matrix wrote:
HI, AllIPA server was installed on ipaserver.dev.example.net A user 'ads' in IPA will periodically 'rsync' files from ipaclient1 to ipaclient2. I found that rsync cronjobs will be failed once 'ads' kerberos ticket has been expired. I would like to renew kerberos tickets before expiration without user intervation, but failed. krb configuration: # cat /etc/krb5.conf includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = EXAMPLE.NET dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} renew_lifetime = 7d [realms] EXAMPLE.NET = { kdc = ipaserver.dev.example.net:88 master_kdc = ipaserver.dev.example.net:88 admin_server = ipaserver.dev.example.net:749 default_domain = example.net pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .example.net = EXAMPLE.NET example.net = EXAMPLE.NET [dbmodules] EXAMPLE.NET = { db_library = ipadb.so } When I was trying to renew kerberos ticket from client1, error message was shown as : $ kinit -R kinit: KDC can't fulfill requested option while renewing credentials And logs from ipa server: # tailf /var/log/krb5kdc.log ...... Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.11.235: TICKET NOT RENEWABLE: authtime 0, [email protected] for krbtgt/[email protected], KDC can't fulfill requested option Jun 14 06:22:35 ipaserver.dev.example.net krb5kdc[23368](info): closing down fd 10 ...... any suggestions would be appreciated.
Please see the list archives, for example https://www.redhat.com/archives/freeipa-users/2016-June/msg00176.html
rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
