On Fri, May 31, 2019 at 11:26:46AM +0000, Winberg Adam wrote: > Aha, interesting. Thank you for a very thorough answer. > > So, on my RHEL8 box the ldbsearch command shows the following attribute for > my user: > > ccacheFile: KEYRING:persistent:60483 > > which is exactly the same as on my RHEL7 box.
Hi, just to be on the safe side, 'KEYRING:persistent:60483' is also used by sshd on RHEL8, so after logging in with ssh/GSSAPI 'klist' shows the forwarded ticket in this ccache? Have you tried to restart SSSD on RHEL8 as long as there is a valid and renewable ticket in KEYRING:persistent:60483? bye, Sumit > > //Adam > > ________________________________________ > From: Sumit Bose [[email protected]] > Sent: 31 May 2019 13:07 > To: [email protected] > Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi > > On Fri, May 31, 2019 at 05:38:23AM +0000, Winberg Adam wrote: > > Ok, so this is an old subject. I know that SSSD can only renew kerberos > > tickets which it itself has generated which is part of the reason for KCM. > > But trying out RHEL8, with KCM disabled (because of some weird behaviour > > reported in a bugzilla ticket), I am affected by this much more than on > > RHEL7. On RHEL7, sssd manages to renew my kerberos ticket even if I login > > to the server with sshd GSSAPI and forwarded credentials > > ('GSSAPIDelegateCredentials yes'). I am not sure why this works on RHEL7 > > when it according to documentation should not. > > > > On RHEL7, the krb5_child.log clearly shows that SSSD renews my ticket: > > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): > > krb5_child started. > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] > > (0x1000): total buffer size: [163] > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] > > (0x0100): cmd [248] uid [60483] gid [102] validate [true] enterprise > > principal [false] offline [false] UPN [[email protected]] > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] > > (0x0100): ccname: [KEYRING:persistent:60483] old_ccname: > > [KEYRING:persistent:60483] keytab: [/etc/krb5.keytab] > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [check_use_fast] > > (0x0100): Not using FAST. > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] > > (0x0200): Switch user to [60483][102]. > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] > > (0x0200): Switch user to [0][0]. > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [become_user] > > (0x0200): Trying to become user [60483][102]. > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x2000): > > Running as [60483][102]. > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_setup] > > (0x2000): Running as [60483][102]. > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] > > [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d] > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] > > [set_lifetime_options] (0x0100): No specific lifetime requested. > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] > > [set_canonicalize_option] (0x0100): Canonicalization is set to [true] > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): > > Will perform ticket renewal > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [renew_tgt_child] > > (0x1000): Renewing a ticket > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] > > (0x2000): Found keytab entry with the realm of the credential. > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] > > (0x0400): TGT verified using key for [[email protected]]. > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [sss_send_pac] > > (0x0400): PAC responder contacted. It might take a bit of time in case the > > cache is not up to date. > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_send_data] > > (0x0200): Received error code 0 > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] > > [pack_response_packet] (0x2000): response packet size: [115] > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): > > krb5_child completed successfully > > > > And as I said, this ticket is forwarded via SSH (logging in to the server > > via ssh with sssd debugging on yields no log at all from krb5_child, so > > SSSD is not involved in getting the ticket). > > > > So, how does this work on RHEL7 and why does it not work on RHEL8? > > Hi, > > if SSSD is used for authentication it saves the name of the credential > cache to the 'ccacheFile' attribute in the cache. This is mainly doen to > keep track the FILE based ccaches with a random component in the name. > > The ccache is added to a renewal list either when SSSD handles or login. > Or at startup where SSSD checks all ccaches found in the 'ccacheFile' > attributes in the cache for still valid and renewable tickets. > > So I assume that on the RHEL7 system you logged in via SSSD once so that > the ccache KEYRING:persistent:60483 is stored in the cache for the user > while on RHEL8 this is not the case. You can check this with the > ldbsearch utility for the ldb-tools package: > > ldbsearch -H /var/lib/sss/db/cache_YOUR.DOMAIN.NAME.ldb | less > > HTH > > bye, > Sumit > > > > > Thanks. > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
