I have a new server running Ubuntu Bionic (18.04.01) with sssd 1.16.1-1ubuntu1. The problem is that our Kerberos tickets are not being renewed while we are logged in. I have tried using FILE and KEYRING credential caches. SSH has Kerberos disabled, GSSAPI disabled, and is configured to use PAM. Logging works, but the ticket expires without being renewed. We are using sssd-ad for auth. I've cranked up the debug to level 9. I am unsure where to start to try to troubleshoot. Advice is appreciated.
Jay McCanta F5 Networks, Inc. Here's a sample ticket: Ticket cache: KEYRING:persistent:27644:krb_ccache_pBjYhsU Default principal: [email protected] 10/31/2018 16:15:51 11/01/2018 02:15:51 krbtgt/[email protected] renew until 11/07/2018 16:15:51 /etc/sssd/sssd.conf (ad_access_filter omitted for security): [sssd] config_file_version = 2 domains = example.com services = nss, pam debug_level = 9 reconnection_retries = 3 [nss] debug_level = 9 [pam] debug_level = 9 [domain/example.com] debug_level = 9 id_provider = ad default_ccache_tempate=KEYRING:persistent:%U krb5_renewable_lifetime=10d krb_renew_interval=2h auth_provider = ad access_provider = ad ldap_id_mapping = False ad_gpo_access_control = permissive Krb5.conf: [libdefaults] default_realm = EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d rdns = false forwardable = yes default_ccache_name=KEYRING:persistent:%{uid} [realms] EXAMPLE.COM = { default_domain = example.com #site=SE3CIP kdc=dc01.example.com:88 kdc=dc02.example.com:88 } [domain_realm] example.com = EXAMPLE.COM .example.com = EXAMPLE.COM
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
