Applies to: Centrify DirectControl 4.2 or later.
Question:
How to refresh an Active Directory (AD) user account's Kerberos ticket automatically?
Answer:
For AD users who authenticate using DirectControl:
1. Modify /etc/centrifydc/centrifydc.conf and set:
krb5.cache.infinite.renewal: true. By default the kerberos tickets are good for 10 hours and the default value of krb5.cache.renew.interval is 4 hours.
2. Run: adreload.
For service accounts that are set up to read the krb5.keytab file, it can be done by simply creating a crontab entry which renews the account before it expires using kinit:
01 00 * * * /usr/share/centrifydc/kerberos/bin/kinit -k -V hostname$
01 08 * * * /usr/share/centrifydc/kerberos/bin/kinit -k -V hostname$
01 16 * * * /usr/share/centrifydc/kerberos/bin/kinit -k -V hostname$