Public bug reported:
I have domain joined multiple workstations using Ubuntu 18.04. The
process was straight forward and I had no complaints. Until I found out
my renewable TGT's were not being renewed at all.
sssd doesnt seem to even attempt to renew my logged in account's ticket.
Some system/package information:
Description: Ubuntu 18.04.5 LTS
Release: 18.04
sssd:
Installed: 1.16.1-1ubuntu1.7
Candidate: 1.16.1-1ubuntu1.7
sssd-krb5:
Installed: 1.16.1-1ubuntu1.7
Candidate: 1.16.1-1ubuntu1.7
krb5-user:
Installed: 1.16-2ubuntu0.2
Candidate: 1.16-2ubuntu0.2
This is what the ticket looks like:
Ticket cache: FILE:/tmp/krb5cc_1234_0rNUa0
Default principal: t...@mydomain.dk
Valid starting Expires Service principal
08/27/2021 10:21:26 08/27/2021 11:21:26 krbtgt/mydomain...@mydomain.dk
renew until 09/03/2021 10:21:26
Ticket lifetime and renewable lifetime are only configured in sssd.conf
(no mention of this in krb5.conf) so the settings do seem to be in
affect. The logs also show the machine ticket is being renewed every ~15
minutes.
Even with debug_level on 12, there is NO mention of my current logged in
account or kerberos cache being tracked for renewal or renewed.
Sometimes a message like this shows up:
sssd_mydomain.dk.log:(Thu Aug 26 16:35:21 2021) [sssd[be[mydomain.dk]]]
[krb5_auth_done] (0x1000): Adding [FILE:/tmp/krb5cc_1234_0ZyYae] for automatic
renewal.
But I have never seen a ticket being automatically renewed after its
expired but before the renewable expiration date. The current log-in
session was created on Aug 26 16:54 and again, no mention of the account
being tracked to renew. The message above was the last mention of
"renewal" in the logs, despite having a signed in account with an
expired ticket for over 12 hours.
Here is my sssd.conf:
[sssd]
domains = mydomain.dk
config_file_version = 2
services = nss, pam
debug_level = 12
[domain/mydomain.dk]
ad_gpo_access_control = permissive
ad_domain = mydomain.dk
krb5_realm = MYDOMAIN.DK
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
krb5_renewable_lifetime = 7d
krb5_lifetime = 1h
krb5_renew_interval = 55s
ad_gpo_map_network = +nx
Here is my krb5.conf:
[libdefaults]
default_realm = SILICOM.DK
allow_weak_crypto = false
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
MYDOMAIN.DK = {
kdc = dc03.mydomain.dk
kdc = dc04.mydomain.dk
admin_server = dc03.mydomain.dk
default_domain = mydomain.dk
}
[domain_realm]
.mydomain.dk = MYDOMAIN.DK
mydomain.dk = MYDOMAIN.DK
[logging]
kdc = SYSLOG:INFO:DAEMON
admin_server = SYSLOG:INFO:DAEMON
default = SYSLOG:INFO:DAEMON
Please let me know which other information I can/should provide.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: sssd-krb5 1.16.1-1ubuntu1.7
ProcVersionSignature: Ubuntu 5.4.0-81.91~18.04.1-generic 5.4.128
Uname: Linux 5.4.0-81-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.24
Architecture: amd64
CurrentDesktop: XFCE
Date: Fri Aug 27 10:28:49 2021
ProcEnviron:
LANGUAGE=en_US
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: sssd
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: sssd (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug bionic
** Attachment added: "sssd-bug.tar.gz"
https://bugs.launchpad.net/bugs/1941857/+attachment/5521135/+files/sssd-bug.tar.gz
** Description changed:
I have domain joined multiple workstations using Ubuntu 18.04. The
process was straight forward and I had no complaints. Until I found out
my renewable TGT's were not being renewed at all.
sssd doesnt seem to even attempt to renew my logged in account's ticket.
Some system/package information:
Description: Ubuntu 18.04.5 LTS
Release: 18.04
sssd:
- Installed: 1.16.1-1ubuntu1.7
- Candidate: 1.16.1-1ubuntu1.7
+ Installed: 1.16.1-1ubuntu1.7
+ Candidate: 1.16.1-1ubuntu1.7
sssd-krb5:
- Installed: 1.16.1-1ubuntu1.7
- Candidate: 1.16.1-1ubuntu1.7
+ Installed: 1.16.1-1ubuntu1.7
+ Candidate: 1.16.1-1ubuntu1.7
krb5-user:
- Installed: 1.16-2ubuntu0.2
- Candidate: 1.16-2ubuntu0.2
+ Installed: 1.16-2ubuntu0.2
+ Candidate: 1.16-2ubuntu0.2
This is what the ticket looks like:
Ticket cache: FILE:/tmp/krb5cc_1234_0rNUa0
Default principal: t...@mydomain.dk
Valid starting Expires Service principal
- 08/27/2021 10:21:26 08/27/2021 11:21:26 krbtgt/silicom...@silicom.dk
- renew until 09/03/2021 10:21:26
+ 08/27/2021 10:21:26 08/27/2021 11:21:26 krbtgt/mydomain...@mydomain.dk
+ renew until 09/03/2021 10:21:26
Ticket lifetime and renewable lifetime are only configured in sssd.conf
(no mention of this in krb5.conf) so the settings do seem to be in
affect. The logs also show the machine ticket is being renewed every ~15
minutes.
Even with debug_level on 12, there is NO mention of my current logged in
account or kerberos cache being tracked for renewal or renewed.
Sometimes a message like this shows up:
sssd_mydomain.dk.log:(Thu Aug 26 16:35:21 2021) [sssd[be[mydomain.dk]]]
[krb5_auth_done] (0x1000): Adding [FILE:/tmp/krb5cc_1234_0ZyYae] for automatic
renewal.
But I have never seen a ticket being automatically renewed after its
expired but before the renewable expiration date. The current log-in
session was created on Aug 26 16:54 and again, no mention of the account
being tracked to renew. The message above was the last mention of
"renewal" in the logs, despite having a signed in account with an
expired ticket for over 12 hours.
Here is my sssd.conf:
[sssd]
domains = mydomain.dk
config_file_version = 2
services = nss, pam
debug_level = 12
[domain/mydomain.dk]
ad_gpo_access_control = permissive
ad_domain = mydomain.dk
krb5_realm = MYDOMAIN.DK
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
krb5_renewable_lifetime = 7d
krb5_lifetime = 1h
krb5_renew_interval = 55s
ad_gpo_map_network = +nx
Here is my krb5.conf:
[libdefaults]
- default_realm = SILICOM.DK
- allow_weak_crypto = false
+ default_realm = SILICOM.DK
+ allow_weak_crypto = false
- kdc_timesync = 1
- ccache_type = 4
- forwardable = true
- proxiable = true
+ kdc_timesync = 1
+ ccache_type = 4
+ forwardable = true
+ proxiable = true
[realms]
- MYDOMAIN.DK = {
- kdc = dc03.mydomain.dk
- kdc = dc04.mydomain.dk
- admin_server = dc03.mydomain.dk
- default_domain = mydomain.dk
- }
+ MYDOMAIN.DK = {
+ kdc = dc03.mydomain.dk
+ kdc = dc04.mydomain.dk
+ admin_server = dc03.mydomain.dk
+ default_domain = mydomain.dk
+ }
[domain_realm]
- .mydomain.dk = MYDOMAIN.DK
- mydomain.dk = MYDOMAIN.DK
+ .mydomain.dk = MYDOMAIN.DK
+ mydomain.dk = MYDOMAIN.DK
[logging]
- kdc = SYSLOG:INFO:DAEMON
- admin_server = SYSLOG:INFO:DAEMON
- default = SYSLOG:INFO:DAEMON
+ kdc = SYSLOG:INFO:DAEMON
+ admin_server = SYSLOG:INFO:DAEMON
+ default = SYSLOG:INFO:DAEMON
Please let me know which other information I can/should provide.
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: sssd-krb5 1.16.1-1ubuntu1.7
ProcVersionSignature: Ubuntu 5.4.0-81.91~18.04.1-generic 5.4.128
Uname: Linux 5.4.0-81-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.24
Architecture: amd64
CurrentDesktop: XFCE
Date: Fri Aug 27 10:28:49 2021
ProcEnviron:
- LANGUAGE=en_US
- PATH=(custom, no user)
- XDG_RUNTIME_DIR=<set>
- LANG=en_US.UTF-8
- SHELL=/bin/bash
+ LANGUAGE=en_US
+ PATH=(custom, no user)
+ XDG_RUNTIME_DIR=<set>
+ LANG=en_US.UTF-8
+ SHELL=/bin/bash
SourcePackage: sssd
UpgradeStatus: No upgrade log present (probably fresh install)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1941857
Title:
sssd does not renew user TGT even when krb5_renew_internal and
_lifetime are set.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1941857/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
