On Wed, Oct 31, 2018 at 07:19:44PM +0000, Jay McCanta wrote: > I have a new server running Ubuntu Bionic (18.04.01) with sssd > 1.16.1-1ubuntu1. The problem is that our Kerberos tickets are not being > renewed while we are logged in. I have tried using FILE and KEYRING > credential caches. SSH has Kerberos disabled, GSSAPI disabled, and is > configured to use PAM. Logging works, but the ticket expires without being > renewed. We are using sssd-ad for auth. I've cranked up the debug to level > 9. I am unsure where to start to try to troubleshoot. Advice is appreciated. > > Jay McCanta > F5 Networks, Inc. > > Here's a sample ticket: > > Ticket cache: KEYRING:persistent:27644:krb_ccache_pBjYhsU > Default principal: mccanta-ad...@olympus.f5net.com > > 10/31/2018 16:15:51 11/01/2018 02:15:51 krbtgt/example....@example.com > renew until 11/07/2018 16:15:51
Can you renew the ticket with kinit -R ? > > /etc/sssd/sssd.conf (ad_access_filter omitted for security): > [sssd] > config_file_version = 2 > domains = example.com > services = nss, pam > debug_level = 9 > reconnection_retries = 3 > > [nss] > debug_level = 9 > > [pam] > debug_level = 9 > > [domain/example.com] > debug_level = 9 > id_provider = ad > default_ccache_tempate=KEYRING:persistent:%U > krb5_renewable_lifetime=10d > krb_renew_interval=2h > auth_provider = ad > access_provider = ad > ldap_id_mapping = False > ad_gpo_access_control = permissive > > Krb5.conf: > [libdefaults] > default_realm = EXAMPLE.COM > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > rdns = false > forwardable = yes > default_ccache_name=KEYRING:persistent:%{uid} > > [realms] > EXAMPLE.COM = { > default_domain = example.com > #site=SE3CIP > kdc=dc01.example.com:88 > kdc=dc02.example.com:88 > } > > [domain_realm] > example.com = EXAMPLE.COM > .example.com = EXAMPLE.COM > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org