[SSSD-users] SSSD-1.12.2: KRB auto-renew feature not working?

Mon, 01 Dec 2014 08:44:20 -0800 

Hello Everyone,
there seems to be a problem with the KRB TGT auto-renewal feature of SSSD in version 1.12.2. 

I have this config in sssd.conf:
-----------------------------
krb5_renew_interval = 60
-----------------------------

We are using the AD plugin, the KRB plugin is not installed but 
krb-common (i.e. krb5_child, ldap_child, libsss_krb5_common.so).


#Everything works fine, except auto-renewal!

See the following example:
-----------------------------
$ kinit -l 10m
Password for [email protected]:
$ klist
Ticket cache: KEYRING:persistent:3036404:krb_ccache_G0haM75
Default principal: user@REALM

Valid starting       Expires              Service principal
12/01/2014 16:59:00  12/01/2014 17:08:58  krbtgt/REALM@REALM
        renew until 12/08/2014 16:59:00
$ sleep 601
$ klist

klist: Credentials cache keyring 'persistent:3036404:krb_ccache_G0haM75' 
not found

-----------------------------


=> Ticket did not get renewed after >5minutes of its lifetime or at all, 
but expires instead.



I also have this behavior with 'traditional' dir-based cache 
collections... it does bot work there as well.




Also note that SSSD continues to set timeouts to check for renewal even 
after the cache is gone:

-----------------------------

(Mon Dec  1 17:08:09 2014) [sssd[be[default]]] [renew_all_tgts] 
(0x4000): Checking [KEYRING:persistent:3036404] for renewal at [Mon Dec 
 1 17:08:09 2014].

###### Ticket expired here ######

(Mon Dec  1 17:09:09 2014) [sssd[be[default]]] [renew_all_tgts] 
(0x4000): Checking [KEYRING:persistent:3036404] for renewal at [Mon Dec 
 1 17:09:09 2014].
(Mon Dec  1 17:10:09 2014) [sssd[be[default]]] [renew_all_tgts] 
(0x4000): Checking [KEYRING:persistent:3036404] for renewal at [Mon Dec 
 1 17:10:09 2014].
(Mon Dec  1 17:11:09 2014) [sssd[be[default]]] [renew_all_tgts] 
(0x4000): Checking [KEYRING:persistent:3036404] for renewal at [Mon Dec 
 1 17:11:09 2014].
(Mon Dec  1 17:12:09 2014) [sssd[be[default]]] [renew_all_tgts] 
(0x4000): Checking [KEYRING:persistent:3036404] for renewal at [Mon Dec 
 1 17:12:09 2014].
(Mon Dec  1 17:13:09 2014) [sssd[be[default]]] [renew_all_tgts] 
(0x4000): Checking [KEYRING:persistent:3036404] for renewal at [Mon Dec 
 1 17:13:09 2014]

...
-----------------------------
But maybe seems to be normal as its only checking for something renewable?



Best regards,
J Brauchle




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users






















					Reply via email to