Public bug reported: I have domain joined multiple workstations using Ubuntu 18.04. The process was straight forward and I had no complaints. Until I found out my renewable TGT's were not being renewed at all.
sssd doesnt seem to even attempt to renew my logged in account's ticket. Some system/package information: Description: Ubuntu 18.04.5 LTS Release: 18.04 sssd: Installed: 1.16.1-1ubuntu1.7 Candidate: 1.16.1-1ubuntu1.7 sssd-krb5: Installed: 1.16.1-1ubuntu1.7 Candidate: 1.16.1-1ubuntu1.7 krb5-user: Installed: 1.16-2ubuntu0.2 Candidate: 1.16-2ubuntu0.2 This is what the ticket looks like: Ticket cache: FILE:/tmp/krb5cc_1234_0rNUa0 Default principal: t...@mydomain.dk Valid starting Expires Service principal 08/27/2021 10:21:26 08/27/2021 11:21:26 krbtgt/mydomain...@mydomain.dk renew until 09/03/2021 10:21:26 Ticket lifetime and renewable lifetime are only configured in sssd.conf (no mention of this in krb5.conf) so the settings do seem to be in affect. The logs also show the machine ticket is being renewed every ~15 minutes. Even with debug_level on 12, there is NO mention of my current logged in account or kerberos cache being tracked for renewal or renewed. Sometimes a message like this shows up: sssd_mydomain.dk.log:(Thu Aug 26 16:35:21 2021) [sssd[be[mydomain.dk]]] [krb5_auth_done] (0x1000): Adding [FILE:/tmp/krb5cc_1234_0ZyYae] for automatic renewal. But I have never seen a ticket being automatically renewed after its expired but before the renewable expiration date. The current log-in session was created on Aug 26 16:54 and again, no mention of the account being tracked to renew. The message above was the last mention of "renewal" in the logs, despite having a signed in account with an expired ticket for over 12 hours. Here is my sssd.conf: [sssd] domains = mydomain.dk config_file_version = 2 services = nss, pam debug_level = 12 [domain/mydomain.dk] ad_gpo_access_control = permissive ad_domain = mydomain.dk krb5_realm = MYDOMAIN.DK realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = ad krb5_renewable_lifetime = 7d krb5_lifetime = 1h krb5_renew_interval = 55s ad_gpo_map_network = +nx Here is my krb5.conf: [libdefaults] default_realm = SILICOM.DK allow_weak_crypto = false kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] MYDOMAIN.DK = { kdc = dc03.mydomain.dk kdc = dc04.mydomain.dk admin_server = dc03.mydomain.dk default_domain = mydomain.dk } [domain_realm] .mydomain.dk = MYDOMAIN.DK mydomain.dk = MYDOMAIN.DK [logging] kdc = SYSLOG:INFO:DAEMON admin_server = SYSLOG:INFO:DAEMON default = SYSLOG:INFO:DAEMON Please let me know which other information I can/should provide. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: sssd-krb5 1.16.1-1ubuntu1.7 ProcVersionSignature: Ubuntu 5.4.0-81.91~18.04.1-generic 5.4.128 Uname: Linux 5.4.0-81-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.24 Architecture: amd64 CurrentDesktop: XFCE Date: Fri Aug 27 10:28:49 2021 ProcEnviron: LANGUAGE=en_US PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: sssd UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: sssd (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug bionic ** Attachment added: "sssd-bug.tar.gz" https://bugs.launchpad.net/bugs/1941857/+attachment/5521135/+files/sssd-bug.tar.gz ** Description changed: I have domain joined multiple workstations using Ubuntu 18.04. The process was straight forward and I had no complaints. Until I found out my renewable TGT's were not being renewed at all. sssd doesnt seem to even attempt to renew my logged in account's ticket. Some system/package information: Description: Ubuntu 18.04.5 LTS Release: 18.04 sssd: - Installed: 1.16.1-1ubuntu1.7 - Candidate: 1.16.1-1ubuntu1.7 + Installed: 1.16.1-1ubuntu1.7 + Candidate: 1.16.1-1ubuntu1.7 sssd-krb5: - Installed: 1.16.1-1ubuntu1.7 - Candidate: 1.16.1-1ubuntu1.7 + Installed: 1.16.1-1ubuntu1.7 + Candidate: 1.16.1-1ubuntu1.7 krb5-user: - Installed: 1.16-2ubuntu0.2 - Candidate: 1.16-2ubuntu0.2 + Installed: 1.16-2ubuntu0.2 + Candidate: 1.16-2ubuntu0.2 This is what the ticket looks like: Ticket cache: FILE:/tmp/krb5cc_1234_0rNUa0 Default principal: t...@mydomain.dk Valid starting Expires Service principal - 08/27/2021 10:21:26 08/27/2021 11:21:26 krbtgt/silicom...@silicom.dk - renew until 09/03/2021 10:21:26 + 08/27/2021 10:21:26 08/27/2021 11:21:26 krbtgt/mydomain...@mydomain.dk + renew until 09/03/2021 10:21:26 Ticket lifetime and renewable lifetime are only configured in sssd.conf (no mention of this in krb5.conf) so the settings do seem to be in affect. The logs also show the machine ticket is being renewed every ~15 minutes. Even with debug_level on 12, there is NO mention of my current logged in account or kerberos cache being tracked for renewal or renewed. Sometimes a message like this shows up: sssd_mydomain.dk.log:(Thu Aug 26 16:35:21 2021) [sssd[be[mydomain.dk]]] [krb5_auth_done] (0x1000): Adding [FILE:/tmp/krb5cc_1234_0ZyYae] for automatic renewal. But I have never seen a ticket being automatically renewed after its expired but before the renewable expiration date. The current log-in session was created on Aug 26 16:54 and again, no mention of the account being tracked to renew. The message above was the last mention of "renewal" in the logs, despite having a signed in account with an expired ticket for over 12 hours. Here is my sssd.conf: [sssd] domains = mydomain.dk config_file_version = 2 services = nss, pam debug_level = 12 [domain/mydomain.dk] ad_gpo_access_control = permissive ad_domain = mydomain.dk krb5_realm = MYDOMAIN.DK realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u access_provider = ad krb5_renewable_lifetime = 7d krb5_lifetime = 1h krb5_renew_interval = 55s ad_gpo_map_network = +nx Here is my krb5.conf: [libdefaults] - default_realm = SILICOM.DK - allow_weak_crypto = false + default_realm = SILICOM.DK + allow_weak_crypto = false - kdc_timesync = 1 - ccache_type = 4 - forwardable = true - proxiable = true + kdc_timesync = 1 + ccache_type = 4 + forwardable = true + proxiable = true [realms] - MYDOMAIN.DK = { - kdc = dc03.mydomain.dk - kdc = dc04.mydomain.dk - admin_server = dc03.mydomain.dk - default_domain = mydomain.dk - } + MYDOMAIN.DK = { + kdc = dc03.mydomain.dk + kdc = dc04.mydomain.dk + admin_server = dc03.mydomain.dk + default_domain = mydomain.dk + } [domain_realm] - .mydomain.dk = MYDOMAIN.DK - mydomain.dk = MYDOMAIN.DK + .mydomain.dk = MYDOMAIN.DK + mydomain.dk = MYDOMAIN.DK [logging] - kdc = SYSLOG:INFO:DAEMON - admin_server = SYSLOG:INFO:DAEMON - default = SYSLOG:INFO:DAEMON + kdc = SYSLOG:INFO:DAEMON + admin_server = SYSLOG:INFO:DAEMON + default = SYSLOG:INFO:DAEMON Please let me know which other information I can/should provide. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: sssd-krb5 1.16.1-1ubuntu1.7 ProcVersionSignature: Ubuntu 5.4.0-81.91~18.04.1-generic 5.4.128 Uname: Linux 5.4.0-81-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.24 Architecture: amd64 CurrentDesktop: XFCE Date: Fri Aug 27 10:28:49 2021 ProcEnviron: - LANGUAGE=en_US - PATH=(custom, no user) - XDG_RUNTIME_DIR=<set> - LANG=en_US.UTF-8 - SHELL=/bin/bash + LANGUAGE=en_US + PATH=(custom, no user) + XDG_RUNTIME_DIR=<set> + LANG=en_US.UTF-8 + SHELL=/bin/bash SourcePackage: sssd UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1941857 Title: sssd does not renew user TGT even when krb5_renew_internal and _lifetime are set. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1941857/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs