Hi all,
I've noticed that tickets do not get renewed if the user logs out. Is this intentional even if the ticket cache is stored in the user home? If so is there any way to make sssd renew tickets even for users who no longer have a session open on the server so they can run cron jobs etc?
Regards Olle
On Wed, Dec 02, 2015 at 07:48:59AM -0000, olle Hansson wrote:
Hi all,
I've noticed that tickets do not get renewed if the user logs out. Is this intentional even if the ticket cache is stored in the user home? If so is there any way to make sssd renew tickets even for users who no longer have a session open on the server so they can run cron jobs etc?
yes, this is intentional. SSSD checks if there is still a process of the user running on the system before renewing a ticket. If a put a 'sleep 999999' in the background before you log out SSSD should try renew the ticket while you are not logged in.
HTH
bye, Sumit
Regards Olle _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Wed, Dec 02, 2015 at 11:30:22AM +0100, Sumit Bose wrote:
On Wed, Dec 02, 2015 at 07:48:59AM -0000, olle Hansson wrote:
Hi all,
I've noticed that tickets do not get renewed if the user logs out. Is this intentional even if the ticket cache is stored in the user home? If so is there any way to make sssd renew tickets even for users who no longer have a session open on the server so they can run cron jobs etc?
yes, this is intentional. SSSD checks if there is still a process of the user running on the system before renewing a ticket. If a put a 'sleep 999999' in the background before you log out SSSD should try renew the ticket while you are not logged in.
Would this work also in systemd with systemd-logind? I thought we switched to checkig if there is a session instead (but I also remember there were some concerns over sudo and su not being treated as opening a session, so I don't remember what the outcome was..)
On Wed, Dec 02, 2015 at 11:37:04AM +0100, Jakub Hrozek wrote:
On Wed, Dec 02, 2015 at 11:30:22AM +0100, Sumit Bose wrote:
On Wed, Dec 02, 2015 at 07:48:59AM -0000, olle Hansson wrote:
Hi all,
I've noticed that tickets do not get renewed if the user logs out. Is this intentional even if the ticket cache is stored in the user home? If so is there any way to make sssd renew tickets even for users who no longer have a session open on the server so they can run cron jobs etc?
yes, this is intentional. SSSD checks if there is still a process of the user running on the system before renewing a ticket. If a put a 'sleep 999999' in the background before you log out SSSD should try renew the ticket while you are not logged in.
Would this work also in systemd with systemd-logind? I thought we switched to checkig if there is a session instead (but I also remember there were some concerns over sudo and su not being treated as opening a session, so I don't remember what the outcome was..)
yes, but in the case the user was not found by sd_uid_get_sessions() we fall back to crawl through /proc.
bye, Sumit
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On 12/02/2015 11:56 AM, Sumit Bose wrote:
On Wed, Dec 02, 2015 at 11:37:04AM +0100, Jakub Hrozek wrote:
On Wed, Dec 02, 2015 at 11:30:22AM +0100, Sumit Bose wrote:
On Wed, Dec 02, 2015 at 07:48:59AM -0000, olle Hansson wrote:
Hi all,
I've noticed that tickets do not get renewed if the user logs out. Is this intentional even if the ticket cache is stored in the user home? If so is there any way to make sssd renew tickets even for users who no longer have a session open on the server so they can run cron jobs etc?
yes, this is intentional. SSSD checks if there is still a process of the user running on the system before renewing a ticket. If a put a 'sleep 999999' in the background before you log out SSSD should try renew the ticket while you are not logged in.
Would this work also in systemd with systemd-logind? I thought we switched to checkig if there is a session instead (but I also remember there were some concerns over sudo and su not being treated as opening a session, so I don't remember what the outcome was..)
yes, but in the case the user was not found by sd_uid_get_sessions() we fall back to crawl through /proc.
Hi Sumit,
cool, that is nice. I tried to use this renew-feature for logged out users some time ago, and it did not work as expected.
Do you happen to know as of which version it should work as you describe?
Thank you, Joschi
On Wed, Dec 02, 2015 at 04:09:37PM +0100, Joschi Brauchle wrote:
On 12/02/2015 11:56 AM, Sumit Bose wrote:
On Wed, Dec 02, 2015 at 11:37:04AM +0100, Jakub Hrozek wrote:
On Wed, Dec 02, 2015 at 11:30:22AM +0100, Sumit Bose wrote:
On Wed, Dec 02, 2015 at 07:48:59AM -0000, olle Hansson wrote:
Hi all,
I've noticed that tickets do not get renewed if the user logs out. Is this intentional even if the ticket cache is stored in the user home? If so is there any way to make sssd renew tickets even for users who no longer have a session open on the server so they can run cron jobs etc?
yes, this is intentional. SSSD checks if there is still a process of the user running on the system before renewing a ticket. If a put a 'sleep 999999' in the background before you log out SSSD should try renew the ticket while you are not logged in.
Would this work also in systemd with systemd-logind? I thought we switched to checkig if there is a session instead (but I also remember there were some concerns over sudo and su not being treated as opening a session, so I don't remember what the outcome was..)
yes, but in the case the user was not found by sd_uid_get_sessions() we fall back to crawl through /proc.
Hi Sumit,
cool, that is nice. I tried to use this renew-feature for logged out users some time ago, and it did not work as expected.
Do you happen to know as of which version it should work as you describe?
iirc SSSD always checked if there is a process with the user's UID running before trying to renew the ticket. So it a sleep is running in the background or some terminal-multiplexer like tmux or screen are still running in a detached mode SSSD should try to renew the ticket.
bye, Sumit
Thank you, Joschi
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Joschi Brauchle -
olle Hansson -
Sumit Bose