Autoupdate kerberos ticket not work

Status
Not open for further replies.
AlektroNik

AlektroNik

Cadet
Joined
Aug 17, 2012
Messages
4
Hi all!

The situation:
1) FreeNAS-8.3.0-RELEASE-x64
2) AD - Windows 2003
3) FQDN - "DOMAIN." (without ".local" and etc.)
4) Timezone - Europe \ Moscow

The problem:
After the expiry of the kerberos ticket cache is not it automatically update. How to make tickets updated automatically?

My actions:
Manual collection options in different ways is great, I will give specific examples below:
a) The first example

Code:
# kinit storage-adm@DOMAIN
storage-adm@DOMAIN's Password:

# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: storage-adm@DOMAIN
    Cache version: 4

Server: krbtgt/DOMAIN@DOMAIN
Client: storage-adm@DOMAIN
Ticket etype: arcfour-hmac-md5, kvno 2
Ticket length: 937
Auth time:  Oct 29 12:55:25 2012
End time:   Oct 29 22:55:25 2012
Ticket flags: forwardable, initial, pre-authenticated
Addresses: addressless


b) The second example:
If the Active Directory service restart or reboot the server entirely, the tickets are obtained normally.
 
AlektroNik

AlektroNik

Cadet
Joined
Aug 17, 2012
Messages
4
First, I wrote a little skriptik to update and add to cron.

To 8.2.0 (previously you should handle the web interface to start the service of AD and copy the generated krb5.conf file whose name ends in a location accessible for the record):
Code:
#!/bin/bash
cp -fr /mnt/zpool_data/data_domain/krb5.conf /etc/
chmod 644 /etc/krb5.conf
echo your_password > /tmp/storage-adm.pwd
kinit --renewable --password-file=/tmp/storage-adm.pwd storage-adm@DOMAIN
rm -fr /tmp/storage-adm.pwd


For 8.3.0:
Code:
echo your_password > /tmp/storage-adm.pwd
kinit --renewable --password-file=/tmp/storage-adm.pwd storage-adm@DOMAIN
rm -fr /tmp/storage-adm.pwd


BUT, today found a script ix-kinit, which takes all these steps myself.

Finally, we obtain the following scripts.
To 8.2.0:
Code:
#!/bin/bash
cp -fr /mnt/zpool_data/data_domain/krb5.conf /etc/
chmod 644 /etc/krb5.conf
service ix-kinit restart


To 8.3.0:
Code:
#!/bin/bash
service ix-kinit restart



Problem Description:
In 8.3.0 there is a little nuance that I could not decide ...
If you manually activate the service through the web interface AD then get 2 a ticket:
Code:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: storage-adm@DOMAIN

  Issued           Expires          Principal
Nov  1 14:21:05  Nov  2 00:21:05  krbtgt/DOMAIN@DOMAIN
Nov  1 14:21:17  Nov  2 00:21:05  ldap/srv-pdc.domain@DOMAIN


And if you use the console command or script is only one:
Code:
# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: storage-adm@DOMAIN

  Issued           Expires          Principal
Nov  1 14:24:46  Nov  2 00:24:46  krbtgt/DOMAIN@DOMAIN


If anyone knows how to fix this poser, will be grateful for your help.
 
Status
Not open for further replies.

Similar threads

A
  • Locked
SOLVED Join to Active Directory manually
Replies
4
Views
3K
aklyuk
A
P
  • Locked
Issue joining Univention domain server based on domain name?
Replies
8
Views
3K
patrickgf
P
vitaprimo
TrueNAS Scale won't join AD if the domain name is uppercase
Replies
4
Views
1K
anodos
anodos
S
  • Locked
AD Join with Subdomains not working
Replies
5
Views
3K
dlavigne
D
A
Old Active Directory data still in config
Replies
2
Views
1K
andrewjones216
A
Top