On Wed, Oct 31, 2018 at 07:19:44PM +0000, Jay McCanta wrote:
I have a new server running Ubuntu Bionic (18.04.01) with sssd 1.16.1-1ubuntu1. The problem is that our Kerberos tickets are not being renewed while we are logged in. I have tried using FILE and KEYRING credential caches. SSH has Kerberos disabled, GSSAPI disabled, and is configured to use PAM. Logging works, but the ticket expires without being renewed. We are using sssd-ad for auth. I've cranked up the debug to level 9. I am unsure where to start to try to troubleshoot. Advice is appreciated.
Jay McCanta F5 Networks, Inc.
Here's a sample ticket:
Ticket cache: KEYRING:persistent:27644:krb_ccache_pBjYhsU Default principal: mccanta-admin@OLYMPUS.F5NET.COM
10/31/2018 16:15:51 11/01/2018 02:15:51 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 11/07/2018 16:15:51
Can you renew the ticket with kinit -R ?
/etc/sssd/sssd.conf (ad_access_filter omitted for security): [sssd] config_file_version = 2 domains = example.com services = nss, pam debug_level = 9 reconnection_retries = 3
[nss] debug_level = 9
[pam] debug_level = 9
[domain/example.com] debug_level = 9 id_provider = ad default_ccache_tempate=KEYRING:persistent:%U krb5_renewable_lifetime=10d krb_renew_interval=2h auth_provider = ad access_provider = ad ldap_id_mapping = False ad_gpo_access_control = permissive
Krb5.conf: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = yes default_ccache_name=KEYRING:persistent:%{uid}
[realms] EXAMPLE.COM = { default_domain = example.com #site=SE3CIP kdc=dc01.example.com:88 kdc=dc02.example.com:88 }
[domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Yes. Kinit -R renews the ticket (if it hasn't expired).
-----Original Message----- From: Jakub Hrozek jhrozek@redhat.com Sent: Wednesday, October 31, 2018 12:25 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: Ubuntu Bionic - sssd 1.16.1 - kerberos ticket not renewing
EXTERNAL MAIL: sssd-users-bounces@lists.fedorahosted.org
On Wed, Oct 31, 2018 at 07:19:44PM +0000, Jay McCanta wrote:
I have a new server running Ubuntu Bionic (18.04.01) with sssd 1.16.1-1ubuntu1. The problem is that our Kerberos tickets are not being renewed while we are logged in. I have tried using FILE and KEYRING credential caches. SSH has Kerberos disabled, GSSAPI disabled, and is configured to use PAM. Logging works, but the ticket expires without being renewed. We are using sssd-ad for auth. I've cranked up the debug to level 9. I am unsure where to start to try to troubleshoot. Advice is appreciated.
Jay McCanta F5 Networks, Inc.
Here's a sample ticket:
Ticket cache: KEYRING:persistent:27644:krb_ccache_pBjYhsU Default principal: mccanta-admin@OLYMPUS.F5NET.COM
10/31/2018 16:15:51 11/01/2018 02:15:51 krbtgt/EXAMPLE.COM@EXAMPLE.COM renew until 11/07/2018 16:15:51
Can you renew the ticket with kinit -R ?
/etc/sssd/sssd.conf (ad_access_filter omitted for security): [sssd] config_file_version = 2 domains = example.com services = nss, pam debug_level = 9 reconnection_retries = 3
[nss] debug_level = 9
[pam] debug_level = 9
[domain/example.com] debug_level = 9 id_provider = ad default_ccache_tempate=KEYRING:persistent:%U krb5_renewable_lifetime=10d krb_renew_interval=2h auth_provider = ad access_provider = ad ldap_id_mapping = False ad_gpo_access_control = permissive
Krb5.conf: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = yes default_ccache_name=KEYRING:persistent:%{uid}
[realms] EXAMPLE.COM = { default_domain = example.com #site=SE3CIP kdc=dc01.example.com:88 kdc=dc02.example.com:88 }
[domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedoraho sted.org
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org