On Wed, Oct 31, 2018 at 07:19:44PM +0000, Jay McCanta wrote:
I have a new server running Ubuntu Bionic (18.04.01) with sssd
1.16.1-1ubuntu1. The problem is that our Kerberos tickets are not being renewed while we
are logged in. I have tried using FILE and KEYRING credential caches. SSH has Kerberos
disabled, GSSAPI disabled, and is configured to use PAM. Logging works, but the ticket
expires without being renewed. We are using sssd-ad for auth. I've cranked up the
debug to level 9. I am unsure where to start to try to troubleshoot. Advice is
appreciated.
Jay McCanta
F5 Networks, Inc.
Here's a sample ticket:
Ticket cache: KEYRING:persistent:27644:krb_ccache_pBjYhsU
Default principal: mccanta-admin(a)OLYMPUS.F5NET.COM
10/31/2018 16:15:51 11/01/2018 02:15:51 krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
renew until 11/07/2018 16:15:51
Can you renew the ticket with kinit -R ?
/etc/sssd/sssd.conf (ad_access_filter omitted for security):
[sssd]
config_file_version = 2
domains =
example.com
services = nss, pam
debug_level = 9
reconnection_retries = 3
[nss]
debug_level = 9
[pam]
debug_level = 9
[
domain/example.com]
debug_level = 9
id_provider = ad
default_ccache_tempate=KEYRING:persistent:%U
krb5_renewable_lifetime=10d
krb_renew_interval=2h
auth_provider = ad
access_provider = ad
ldap_id_mapping = False
ad_gpo_access_control = permissive
Krb5.conf:
[libdefaults]
default_realm =
EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
rdns = false
forwardable = yes
default_ccache_name=KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
default_domain =
example.com
#site=SE3CIP
kdc=dc01.example.com:88
kdc=dc02.example.com:88
}
[domain_realm]
example.com =
EXAMPLE.COM
.example.com =
EXAMPLE.COM
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...