[SSSD-users] Re: Ubuntu Bionic - sssd 1.16.1 - kerberos ticket not renewing

Wed, 31 Oct 2018 12:25:38 -0700 

On Wed, Oct 31, 2018 at 07:19:44PM +0000, Jay McCanta wrote:
> I have a new server running Ubuntu Bionic (18.04.01) with sssd 
> 1.16.1-1ubuntu1.  The problem is that our Kerberos tickets are not being 
> renewed while we are logged in.  I have tried using FILE and KEYRING 
> credential caches.  SSH has Kerberos disabled, GSSAPI disabled, and is 
> configured to use PAM.  Logging works, but the ticket expires without being 
> renewed. We are using sssd-ad for auth.   I've cranked up the debug to level 
> 9.  I am unsure where to start to try to troubleshoot.  Advice is appreciated.
> 
> Jay McCanta
> F5 Networks, Inc.
> 
> Here's a sample ticket:
> 
> Ticket cache: KEYRING:persistent:27644:krb_ccache_pBjYhsU
> Default principal: mccanta-ad...@olympus.f5net.com
> 
> 10/31/2018 16:15:51  11/01/2018 02:15:51  krbtgt/example....@example.com
>               renew until 11/07/2018 16:15:51

Can you renew the ticket with kinit -R ?

> 
> /etc/sssd/sssd.conf (ad_access_filter omitted for security):
> [sssd]
> config_file_version = 2
> domains = example.com
> services = nss, pam
> debug_level = 9
> reconnection_retries = 3
> 
> [nss]
> debug_level = 9
> 
> [pam]
> debug_level = 9
> 
> [domain/example.com]
> debug_level = 9
> id_provider = ad
>   default_ccache_tempate=KEYRING:persistent:%U
>   krb5_renewable_lifetime=10d
>   krb_renew_interval=2h
>   auth_provider = ad
> access_provider = ad
> ldap_id_mapping = False
> ad_gpo_access_control = permissive
> 
> Krb5.conf:
> [libdefaults]
>               default_realm = EXAMPLE.COM
>               dns_lookup_realm = true
>               dns_lookup_kdc = true
>               ticket_lifetime = 24h
>               renew_lifetime = 7d
>               rdns = false
>               forwardable = yes
>                 default_ccache_name=KEYRING:persistent:%{uid}
> 
> [realms]
>               EXAMPLE.COM = {
>                              default_domain = example.com
>                                            #site=SE3CIP
>                                            kdc=dc01.example.com:88
>                                            kdc=dc02.example.com:88
>               }
> 
> [domain_realm]
>               example.com = EXAMPLE.COM
>               .example.com = EXAMPLE.COM

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

Reply via email to