Hello,

I've been trying to get this working for several weeks now, but the kerberos tickets keep expiring after 7 days.

They just expired again today. I think I have set up everything correctly, but it still doesn't seem to work.
I hope someone on this list can point me in the right direction.

Below is some more information.
The machine is joined to an Active Directory realm with net ads join -k.


[root@hostname ~] cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log


[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = true
 dns_lookup_kdc = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
# Define only if DNS lookups are not working
# example.com = {
#  kdc = DC01
#  admin_server = DC01.example.com
# }

# EXAMPLE.COM = {
#  kdc = DC01.example.com
#  kdc = DC02.example.com
#  kdc = DC03.example.com
#  kdc = DC04.example.com
# }
 
[domain_realm]
# Define only if DNS lookups are not working
# .brain.com = EXAMPLE.COM
# example.com = EXAMPLE.COM

[root@hostname ~] cat /etc/samba/smb.conf
#removed commented lines   
[global]
    security = ads
    passdb backend = tdbsam
    realm = EXAMPLE.COM

    password server = dc01.example.com dc02.example.com
    kerberos method = secrets and keytab
    client signing = yes
    client use spnego = yes

    load printers = yes
    cups options = raw

[homes]
    comment = Home Directories
    browseable = no
    writable = yes
   
[printers]
    comment = All Printers
    path = /var/spool/samba
    browseable = no
    guest ok = no
    writable = no
    printable = yes

[root@hostname ~] cat /etc/sssd/sssd.conf
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam, pac, sudo, autofs
debug_level = 6
 
[nss]
debug_level = 3
 
[pam]
debug_level = 3
 
[sudo]
debug_level = 3
 
[autofs]
debug_level = 3
 
[domain/example.com]
debug_level = 6
 
ad_domain = example.com
ad_hostname = hostname.example.com
krb5_realm = EXAMPLE.COM
cache_credentials = True
id_provider = ad
auth_provider = krb5
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/users/%u
access_provider = ad
 
# LDAP settings
 
ldap_schema = rfc2307bis
# Unless you know you need referrals, turn them off
ldap_referrals = false
# Uncomment if you need offline logins
# cache_credentials = true
enumerate = false

ldap_sasl_mech = GSSAPI

ldap_user_search_base = ou=Brain2HQ,dc=brain2,dc=com
ldap_user_object_class = user
 
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
 
ldap_group_search_base = ou=Groups,dc=brain2,dc=com
ldap_group_object_class = group
 
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
 
# sudo settings
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=brain2,dc=com
 
# autofs settings
autofs_provider = ldap
ldap_autofs_search_base=ou=automount,dc=brain2,dc=com
ldap_autofs_map_object_class=nisMap
ldap_autofs_entry_object_class=nisObject
ldap_autofs_map_name=nisMapName
ldap_autofs_entry_key=cn
ldap_autofs_entry_value=nisMapEntry
 
# shell settings
allowed_shells = /bin/sh,/bin/bash,/bin/zsh,/bin/fish,/bin/ksh,
vetoed_shells = /bin/csh,/bin/tcsh
shell_fallback = /bin/bash
 
# kerberos settings
 
# Probably required with sssd 1.8.x and newer
krb5_canonicalize = false
krb5_renewable_lifetime = 1d
krb5_renew_interval = 60s
krb5_lifetime = 1h #normally set by KDC

Kerberos tickets and logs of today:
[root@hostname ~] klist -f /var/lib/sss/db/ccache_example.com
Ticket cache: FILE:/var/lib/sss/db/ccache_example.com
Default principal: hostname$@example.com

Valid starting     Expires            Service principal
11/30/15 13:16:40  11/30/15 23:16:44  krbtgt/example.com@example.com
    renew until 12/07/15 13:16:40, Flags: RIA
11/30/15 13:16:44  11/30/15 23:16:44  ldap/dc02.example.com@
    renew until 12/07/15 13:16:40, Flags: RAO
11/30/15 13:16:44  11/30/15 23:16:44  ldap/dc02.example.com@example.com
    renew until 12/07/15 13:16:40, Flags: RAO
11/30/15 13:16:44  11/30/15 23:16:44  DNS/dc01.example.com@example.com
    renew until 12/07/15 13:16:40, Flags: RAO
[root@hostname ~] grep renew /var/log/sssd/sssd_example.com.log
(Mon Nov 30 08:28:49 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Mon Nov 30 09:55:42 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0100): Successfully renewed TGT for user [John Doe].
(Mon Nov 30 10:26:42 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0100): Successfully renewed TGT for user [John Doe].
(Mon Nov 30 11:36:44 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0020): krb5_auth request failed.
(Mon Nov 30 11:36:44 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0200): Giving back pam data.
(Mon Nov 30 11:36:44 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0020): krb5_auth request failed.
(Mon Nov 30 11:36:44 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0200): Giving back pam data.
(Mon Nov 30 11:38:07 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0020): krb5_auth request failed.
(Mon Nov 30 11:38:07 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0200): Giving back pam data.
(Mon Nov 30 11:38:13 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0020): krb5_auth request failed.
(Mon Nov 30 11:38:13 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0200): Giving back pam data.
(Mon Nov 30 11:47:35 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0020): Failed to renew TGT for user [John Doe].
(Mon Nov 30 11:47:35 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0020): Failed to renew TGT for user [Lucy Doe].
(Mon Nov 30 14:16:07 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Mon Nov 30 17:19:34 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Mon Nov 30 18:20:26 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Mon Nov 30 18:21:36 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Mon Nov 30 19:11:06 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Mon Nov 30 19:26:31 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Mon Nov 30 23:30:05 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec  1 00:16:56 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec  1 01:18:39 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec  1 01:32:16 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec  1 03:22:02 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec  1 04:34:30 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec  1 06:27:39 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec  1 06:38:20 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec  1 07:34:20 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec  1 07:56:02 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec  1 08:33:09 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec  1 10:40:41 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.

To be clear, it all works fine up to the point where the TGT ticket expires.

Kind Regards,


Andy