On (23/05/17 08:39), Joakim Tjernlund wrote: >On Tue, 2017-05-23 at 10:11 +0200, Joakim Tjernlund wrote: >> On Mon, 2017-05-22 at 22:29 +0200, Lukas Slebodnik wrote: >> > On (22/05/17 14:53), Joakim Tjernlund wrote: >> > > > The time is not synchronised between client and server. >> > > > MIT krb5 can handle small offset. But I would highly recommends >> > > > to keep time in sync. >> > > >> > > There is some time problem on and off but this has never been too much. >> > > I don't >> > > think this was the root problem here ? >> > > >> > >> > As I already mention I would highly recommend to keep time in sync. >> > It will reduce possible errors. >> > >> > Configure ntpd/chrony on client and server is not a rocket science :-) >> >> Sure, no rocket science but I have little control over the AD servers. :( >> Anyhow, I did a "net ads info" and it came back with Server time offset: 0 >> so I don't think there is a time difference(or very small)? >> The clients are already on NTP. >> >> > >> > >> > > > Renewing of a ticket failed because it is already expired. >> > > > Maybe due to time shift between client and server(KDC) >> > > >> > > Yes, it is expired to begin with. I got a ticket, then suspended the >> > > computer long enough for >> > > the ticket to expire(10 hours here) and then woke up and unlocked the >> > > screen. >> > > The problem is that sssd never tries to get a new ticket using my creds >> > > I gave when unlocking. >> > > Even if I do several lock/unlocks after the network is restored, sssd >> > > will not get me a new ticket. >> > > >> > >> > sssd would get new ticket if it was in online mode. >> > But it offline mode. >> > >> > I would highly recommend to keep time in sync with server >> > and then debug why sssd was in offline mode. >> > Or why it went to offline mode. >> > >> > With 1.15 you can use sssctl e.g. >> >> I did run sssctl domain-status infinera.com and it came back with: >> Unable to get online status [3]: Communication error >> org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes >> include: the remote application >> did not send a reply, the message bus security policy blocked the reply, the >> reply timeout expired, or the >> network connection was broken. >> Check that SSSD is running and the InfoPipe responder is enabled. Make sure >> 'ifp' is listed in the 'services' >> option in sssd.conf. >> Unable to get online status >> >> I then just added 'ifp' to 'services' and restarted sssd and now it works: >> sssctl domain-status infinera.com >> Online status: Online >> >> Active servers: >> AD Global Catalog: not connected >> AD Domain Controller: se-dc01.infinera.com >> ..... >> >> Could the problem I saw be related to not having ifp in services ? >> I will check again when the ticket expires again. >> >> Jocke > >but krb5_child log just repeats: > > >(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [renew_tgt_child] >(0x1000): Renewing a ticket >(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] >[sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.638731: Retrieving >[email protected] -> krbtgt/[email protected] from >FILE:/tmp/krb5cc_1001 with result: 0/Success > >(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] >[sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.638747: Get cred via >TGT krbtgt/[email protected] after requesting >krbtgt/[email protected] (canonicalize off) > >(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] >[sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.638788: Generated >subkey for TGS request: aes256-cts/3F94 > >(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] >[sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.638841: etypes >requested in TGS request: aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, >camellia128-cts, camellia256-cts, des-cbc-crc, des, des-cbc-md4 > >(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] >[sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.638944: Encoding >request body and padata into FAST request > >(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] >[sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.639036: Sending request >(1901 bytes) to INFINERA.COM > >(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] >[sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.639179: Resolving >hostname se-dc01.infinera.com > >(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] >[sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.639483: Initiating TCP >connection to stream 10.210.34.21:88 > >(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] >[sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.639888: Sending TCP >request to stream 10.210.34.21:88 > >(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] >[sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.640356: Received answer >(123 bytes) from stream 10.210.34.21:88 > >(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] >[sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.640375: Terminating TCP >connection to stream 10.210.34.21:88 > >(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] >[sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.640416: Response was >not from master KDC > >(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] >[sss_child_krb5_trace_cb] (0x4000): [30164] 1495527829.640436: Got cred; >-1765328352/Ticket expired > >(Tue May 23 10:23:49 2017) [[sssd[krb5_child[30164]]]] [map_krb5_error] >(0x0020): 1643: [-1765328352][Ticket expired]
The most confusing for me was a reason why we went offline. And after checking the source code I found out a reason. We map expired ticket(KRB5KRB_AP_ERR_TKT_EXPIRED) to network error (ERR_NETWORK_IO) since 1.14.2 https://pagure.io/SSSD/sssd/issue/3174 https://pagure.io/SSSD/sssd/c/d3348f49260998880bb7cd3b2fb72d562b1b7a64 It might be a reasonable with first kinit. Because new ticket should be valid. But we should treat it differently for renewing ticket. Thank you very much for bug report. And sorry that it took me so long to find a bug. LS _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
