On 12/03/2014 01:34 PM, Jakub Hrozek wrote:
On Wed, Dec 03, 2014 at 12:03:16PM +0100, Joschi Brauchle wrote:
> On 12/02/2014 04:45 PM, Jakub Hrozek wrote:
>> On Mon, Dec 01, 2014 at 05:43:49PM +0100, Joschi Brauchle wrote:
>>> Hello Everyone,
>>>
>>> there seems to be a problem with the KRB TGT auto-renewal feature of SSSD in
>>> version 1.12.2.
>>>
>>> I have this config in sssd.conf:
>>> -----------------------------
>>> krb5_renew_interval = 60
>>> -----------------------------
>>> We are using the AD plugin, the KRB plugin is not installed but krb-common
>>> (i.e. krb5_child, ldap_child, libsss_krb5_common.so).
>>>
>>> #Everything works fine, except auto-renewal!
>>>
>>> See the following example:
>>> -----------------------------
>>> $ kinit -l 10m
>>> Password for ne96soh(a)ADS.MWN.DE:
>>
>> Does the renewal work if you acquire the ticket via SSSD login instead
>> of kinit? Can you test logging in with some PAM service (gdm, su, ...)
>
> Hello Jakub,
>
> thanks for the hint. I can confirm that auto-renew works when
> 1) using graphical login (i.e. SSSD acquired the ticket)
> 2) reasonably long lifetime (tested w/ 2h) and renewal time (tested w/ 10m).
>
> I did have problems when getting the ticket with kinit and short
> life-/renewal times, as reported originally.
I think this is kindof expectd unless you use a ticket name that is
predictable (ie no XXXXX components in a FILE:/ ccache) because then
SSSD has no idea which ccache to renew..
Hm, but in my case I was using keyring or dir based caches/collections,
e.g. for the keyring I am sure that the initial cache name (created by
sssd) was not changed with the invocation of 'kinit -l lifetime'. Still,
sssd did not renew the ticket with the modified lifetime (but same cache
name)...