Ok, so this is an old subject. I know that SSSD can only renew kerberos tickets
which it itself has generated which is part of the reason for KCM. But trying
out RHEL8, with KCM disabled (because of some weird behaviour reported in a
bugzilla ticket), I am affected by this much more than on RHEL7. On RHEL7, sssd
manages to renew my kerberos ticket even if I login to the server with sshd
GSSAPI and forwarded credentials ('GSSAPIDelegateCredentials yes'). I am not
sure why this works on RHEL7 when it according to documentation should not.
On RHEL7, the krb5_child.log clearly shows that SSSD renews my ticket:
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400):
krb5_child started.
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer]
(0x1000): total buffer size: [163]
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer]
(0x0100): cmd [248] uid [60483] gid [102] validate [true] enterprise principal
[false] offline [false] UPN [[email protected]]
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer]
(0x0100): ccname: [KEYRING:persistent:60483] old_ccname:
[KEYRING:persistent:60483] keytab: [/etc/krb5.keytab]
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [check_use_fast]
(0x0100): Not using FAST.
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200):
Switch user to [60483][102].
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200):
Switch user to [0][0].
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [become_user] (0x0200):
Trying to become user [60483][102].
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x2000): Running
as [60483][102].
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_setup] (0x2000):
Running as [60483][102].
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options]
(0x0100): Renewable lifetime is set to [7d]
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options]
(0x0100): No specific lifetime requested.
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]]
[set_canonicalize_option] (0x0100): Canonicalization is set to [true]
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): Will
perform ticket renewal
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [renew_tgt_child]
(0x1000): Renewing a ticket
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x2000):
Found keytab entry with the realm of the credential.
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x0400):
TGT verified using key for [[email protected]].
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [sss_send_pac] (0x0400):
PAC responder contacted. It might take a bit of time in case the cache is not
up to date.
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_send_data]
(0x0200): Received error code 0
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [pack_response_packet]
(0x2000): response packet size: [115]
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400):
krb5_child completed successfully
And as I said, this ticket is forwarded via SSH (logging in to the server via
ssh with sssd debugging on yields no log at all from krb5_child, so SSSD is not
involved in getting the ticket).
So, how does this work on RHEL7 and why does it not work on RHEL8?
Thanks.
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
