On Wed, Oct 31, 2018 at 07:19:44PM +0000, Jay McCanta wrote:
> I have a new server running Ubuntu Bionic (18.04.01) with sssd
> 1.16.1-1ubuntu1. The problem is that our Kerberos tickets are not being
> renewed while we are logged in. I have tried using FILE and KEYRING
> credential caches. SSH has Kerberos disabled, GSSAPI disabled, and is
> configured to use PAM. Logging works, but the ticket expires without being
> renewed. We are using sssd-ad for auth. I've cranked up the debug to level
> 9. I am unsure where to start to try to troubleshoot. Advice is appreciated.
>
> Jay McCanta
> F5 Networks, Inc.
>
> Here's a sample ticket:
>
> Ticket cache: KEYRING:persistent:27644:krb_ccache_pBjYhsU
> Default principal: [email protected]
>
> 10/31/2018 16:15:51 11/01/2018 02:15:51 krbtgt/[email protected]
> renew until 11/07/2018 16:15:51
Can you renew the ticket with kinit -R ?
>
> /etc/sssd/sssd.conf (ad_access_filter omitted for security):
> [sssd]
> config_file_version = 2
> domains = example.com
> services = nss, pam
> debug_level = 9
> reconnection_retries = 3
>
> [nss]
> debug_level = 9
>
> [pam]
> debug_level = 9
>
> [domain/example.com]
> debug_level = 9
> id_provider = ad
> default_ccache_tempate=KEYRING:persistent:%U
> krb5_renewable_lifetime=10d
> krb_renew_interval=2h
> auth_provider = ad
> access_provider = ad
> ldap_id_mapping = False
> ad_gpo_access_control = permissive
>
> Krb5.conf:
> [libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = true
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> rdns = false
> forwardable = yes
> default_ccache_name=KEYRING:persistent:%{uid}
>
> [realms]
> EXAMPLE.COM = {
> default_domain = example.com
> #site=SE3CIP
> kdc=dc01.example.com:88
> kdc=dc02.example.com:88
> }
>
> [domain_realm]
> example.com = EXAMPLE.COM
> .example.com = EXAMPLE.COM
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
