GSSAPI Error: The Referenced Context has Expired (Unknown Error)
Error
Occasionally, you may see multiple errors in the logs.
Mar 4 07:34:59 linuxhost lsass: GSSAPI Error: The referenced context has expired (Unknown error)
This may or may not be associated with slow logins.
Cause
If a user does not enter their password for 8 hours after they initially logged in, the Kerberos ticket will expire and may not be renewed. This is the default Kerberos expiration time. There may be issues with user load or concurrency, which could prevent the ticket from being refreshed.
Other reasons you must renew a user's Kerberos ticket include when the user is using:
- Single sign-on (SSO)
- Another SSH client
- An SMB client. For example, using Nautilus from a workstation desktop.
- NFSv4 mounts
Resolution
If you don't need SSO, you can turn off the following configuration setting (enabled by default), which may improve performance:
Name: RefreshUserCredentials Description: Whether to refresh user credentials against AD domain controller Type: boolean Current Value: true Accepted Values: true, false
Current Value is determined by local policy.
You may also use a group policy to manage this centrally. Typically located under the Authorization and Identification group, configure the Lsassd: Enable user credential refreshing setting.