Aha, interesting. Thank you for a very thorough answer. So, on my RHEL8 box the ldbsearch command shows the following attribute for my user:
ccacheFile: KEYRING:persistent:60483 which is exactly the same as on my RHEL7 box. //Adam ________________________________________ From: Sumit Bose [[email protected]] Sent: 31 May 2019 13:07 To: [email protected] Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi On Fri, May 31, 2019 at 05:38:23AM +0000, Winberg Adam wrote: > Ok, so this is an old subject. I know that SSSD can only renew kerberos > tickets which it itself has generated which is part of the reason for KCM. > But trying out RHEL8, with KCM disabled (because of some weird behaviour > reported in a bugzilla ticket), I am affected by this much more than on > RHEL7. On RHEL7, sssd manages to renew my kerberos ticket even if I login to > the server with sshd GSSAPI and forwarded credentials > ('GSSAPIDelegateCredentials yes'). I am not sure why this works on RHEL7 when > it according to documentation should not. > > On RHEL7, the krb5_child.log clearly shows that SSSD renews my ticket: > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): > krb5_child started. > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] > (0x1000): total buffer size: [163] > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] > (0x0100): cmd [248] uid [60483] gid [102] validate [true] enterprise > principal [false] offline [false] UPN [[email protected]] > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] > (0x0100): ccname: [KEYRING:persistent:60483] old_ccname: > [KEYRING:persistent:60483] keytab: [/etc/krb5.keytab] > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [check_use_fast] > (0x0100): Not using FAST. > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] > (0x0200): Switch user to [60483][102]. > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] > (0x0200): Switch user to [0][0]. > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [become_user] > (0x0200): Trying to become user [60483][102]. > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x2000): > Running as [60483][102]. > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_setup] (0x2000): > Running as [60483][102]. > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] > (0x0100): Renewable lifetime is set to [7d] > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] > (0x0100): No specific lifetime requested. > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] > [set_canonicalize_option] (0x0100): Canonicalization is set to [true] > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): Will > perform ticket renewal > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [renew_tgt_child] > (0x1000): Renewing a ticket > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] > (0x2000): Found keytab entry with the realm of the credential. > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] > (0x0400): TGT verified using key for [[email protected]]. > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [sss_send_pac] > (0x0400): PAC responder contacted. It might take a bit of time in case the > cache is not up to date. > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_send_data] > (0x0200): Received error code 0 > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [pack_response_packet] > (0x2000): response packet size: [115] > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): > krb5_child completed successfully > > And as I said, this ticket is forwarded via SSH (logging in to the server via > ssh with sssd debugging on yields no log at all from krb5_child, so SSSD is > not involved in getting the ticket). > > So, how does this work on RHEL7 and why does it not work on RHEL8? Hi, if SSSD is used for authentication it saves the name of the credential cache to the 'ccacheFile' attribute in the cache. This is mainly doen to keep track the FILE based ccaches with a random component in the name. The ccache is added to a renewal list either when SSSD handles or login. Or at startup where SSSD checks all ccaches found in the 'ccacheFile' attributes in the cache for still valid and renewable tickets. So I assume that on the RHEL7 system you logged in via SSSD once so that the ccache KEYRING:persistent:60483 is stored in the cache for the user while on RHEL8 this is not the case. You can check this with the ldbsearch utility for the ldb-tools package: ldbsearch -H /var/lib/sss/db/cache_YOUR.DOMAIN.NAME.ldb | less HTH bye, Sumit > > Thanks. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
