Re: [SSSD-users] SSSD-1.12.2: KRB auto-renew feature not working?

Wed, 03 Dec 2014 07:58:48 -0800 

On 12/03/2014 07:37 AM, Joschi Brauchle wrote:

On 12/03/2014 01:34 PM, Jakub Hrozek wrote:

On Wed, Dec 03, 2014 at 12:03:16PM +0100, Joschi Brauchle wrote:

On 12/02/2014 04:45 PM, Jakub Hrozek wrote:

On Mon, Dec 01, 2014 at 05:43:49PM +0100, Joschi Brauchle wrote:

Hello Everyone,
there seems to be a problem with the KRB TGT auto-renewal feature of SSSD in 
version 1.12.2.

I have this config in sssd.conf:
-----------------------------
krb5_renew_interval = 60
-----------------------------
We are using the AD plugin, the KRB plugin is not installed but krb-common 
(i.e. krb5_child, ldap_child, libsss_krb5_common.so).

#Everything works fine, except auto-renewal!

See the following example:
-----------------------------
$ kinit -l 10m
Password for [email protected]:


Does the renewal work if you acquire the ticket via SSSD login instead
of kinit? Can you test logging in with some PAM service (gdm, su, ...)


Hello Jakub,

thanks for the hint. I can confirm that auto-renew works when
1) using graphical login (i.e. SSSD acquired the ticket)
2) reasonably long lifetime (tested w/ 2h) and renewal time (tested w/ 10m). 

I did have problems when getting the ticket with kinit and short
life-/renewal times, as reported originally.


I think this is kindof expectd unless you use a ticket name that is
predictable (ie no XXXXX components in a FILE:/ ccache) because then
SSSD has no idea which ccache to renew..
Hm, but in my case I was using keyring or dir based caches/collections, e.g. for the keyring I am sure that the initial cache name (created by sssd) was not changed with the invocation of 'kinit -l lifetime'. Still, sssd did not renew the ticket with the modified lifetime (but same cache name)...
AFAIK SSSD does not monitor tickets. It takes a note when it saves a ticket. So if the ticket was changed out of band it does not know. What you are looking for a is a ticket monitor functionality that is currently not there. I think we designed it but never got to implementing it due to complexity. 






_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users



--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.


_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Reply via email to