Ok, doing that on RHEL7 yielded the following log message: [check_ccache_files] (0x0200): Failed to check ccache file [KEYRING:persistent:60483]
On RHEL8 I get a bit more: /var/log/sssd/krb5_child.log [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:60483] old_ccname: [KEYRING:persistent:60483] keytab: [/etc/krb5.keytab] [k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:60483] and is active and TGT is valid. [sss_get_ccache_name_for_principal] (0x4000): Location: [KEYRING:persistent:60483] [sss_get_ccache_name_for_principal] (0x4000): tmp_ccname: [KEYRING:persistent:60483:krb_ccache_0AxONF2] [create_ccache] (0x4000): Initializing ccache of type [KEYRING] /var/log/sssd/sssd_ad.example.com.log [krb5_mod_ccname] (0x4000): Save ccname [KEYRING:persistent:60483] for user [[email protected]]. [krb5_auth_done] (0x1000): Adding [KEYRING:persistent:60483] for automatic renewal. [add_tgt_to_renew_table] (0x1000): Added [KEYRING:persistent:60483] for renewal at [Fri May 31 12:57:09 2019]. [check_ccache_files] (0x0200): Failed to check ccache file [KEYRING:persistent:60483]. Looks like it's initializing my cache for renewal. But shouldnt that happen on login then? Adam Winberg ITpc SMHI Telefon 011-4958058 Fax 011-4958350 Epost [email protected] 601 76 Norrköping Besöksadress Folkborgsvägen 1 www.smhi.se ________________________________________ From: Sumit Bose [[email protected]] Sent: 31 May 2019 14:29 To: [email protected] Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi On Fri, May 31, 2019 at 12:05:46PM +0000, Winberg Adam wrote: > Yes, klist on RHEL8 after login shows > > Ticket cache: KEYRING:persistent:60483:krb_ccache_0AxONF2 > > Same as on RHEL7. > > Restarting SSSD does nothing to my ticket on neither RHEL7 or RHEL8, but I > guess my ticket lifetime has to have exceeded half the lifetime or something > like that for renewal to take place? My ticket is pretty new... Yes. As an alternative you can add 'debug_level=9' to the [domain/...] section of sssd.conf, restart SSSD and look for "Adding [KEYRING:persistent:60483] for automatic renewal" messages in the domain log. bye, Sumit > > //Adam > > ________________________________________ > From: Sumit Bose [[email protected]] > Sent: 31 May 2019 13:52 > To: [email protected] > Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi > > On Fri, May 31, 2019 at 11:26:46AM +0000, Winberg Adam wrote: > > Aha, interesting. Thank you for a very thorough answer. > > > > So, on my RHEL8 box the ldbsearch command shows the following attribute for > > my user: > > > > ccacheFile: KEYRING:persistent:60483 > > > > which is exactly the same as on my RHEL7 box. > > Hi, > > just to be on the safe side, 'KEYRING:persistent:60483' is also used by > sshd on RHEL8, so after logging in with ssh/GSSAPI 'klist' shows the forwarded > ticket in this ccache? > > Have you tried to restart SSSD on RHEL8 as long as there is a valid and > renewable ticket in KEYRING:persistent:60483? > > bye, > Sumit > > > > > //Adam > > > > ________________________________________ > > From: Sumit Bose [[email protected]] > > Sent: 31 May 2019 13:07 > > To: [email protected] > > Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi > > > > On Fri, May 31, 2019 at 05:38:23AM +0000, Winberg Adam wrote: > > > Ok, so this is an old subject. I know that SSSD can only renew kerberos > > > tickets which it itself has generated which is part of the reason for > > > KCM. But trying out RHEL8, with KCM disabled (because of some weird > > > behaviour reported in a bugzilla ticket), I am affected by this much more > > > than on RHEL7. On RHEL7, sssd manages to renew my kerberos ticket even if > > > I login to the server with sshd GSSAPI and forwarded credentials > > > ('GSSAPIDelegateCredentials yes'). I am not sure why this works on RHEL7 > > > when it according to documentation should not. > > > > > > On RHEL7, the krb5_child.log clearly shows that SSSD renews my ticket: > > > > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): > > > krb5_child started. > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] > > > (0x1000): total buffer size: [163] > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] > > > (0x0100): cmd [248] uid [60483] gid [102] validate [true] enterprise > > > principal [false] offline [false] UPN [[email protected]] > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] > > > (0x0100): ccname: [KEYRING:persistent:60483] old_ccname: > > > [KEYRING:persistent:60483] keytab: [/etc/krb5.keytab] > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [check_use_fast] > > > (0x0100): Not using FAST. > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] > > > (0x0200): Switch user to [60483][102]. > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] > > > (0x0200): Switch user to [0][0]. > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [become_user] > > > (0x0200): Trying to become user [60483][102]. > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x2000): > > > Running as [60483][102]. > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_setup] > > > (0x2000): Running as [60483][102]. > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] > > > [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d] > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] > > > [set_lifetime_options] (0x0100): No specific lifetime requested. > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] > > > [set_canonicalize_option] (0x0100): Canonicalization is set to [true] > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): > > > Will perform ticket renewal > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [renew_tgt_child] > > > (0x1000): Renewing a ticket > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] > > > (0x2000): Found keytab entry with the realm of the credential. > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] > > > (0x0400): TGT verified using key for [[email protected]]. > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [sss_send_pac] > > > (0x0400): PAC responder contacted. It might take a bit of time in case > > > the cache is not up to date. > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_send_data] > > > (0x0200): Received error code 0 > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] > > > [pack_response_packet] (0x2000): response packet size: [115] > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): > > > krb5_child completed successfully > > > > > > And as I said, this ticket is forwarded via SSH (logging in to the server > > > via ssh with sssd debugging on yields no log at all from krb5_child, so > > > SSSD is not involved in getting the ticket). > > > > > > So, how does this work on RHEL7 and why does it not work on RHEL8? > > > > Hi, > > > > if SSSD is used for authentication it saves the name of the credential > > cache to the 'ccacheFile' attribute in the cache. This is mainly doen to > > keep track the FILE based ccaches with a random component in the name. > > > > The ccache is added to a renewal list either when SSSD handles or login. > > Or at startup where SSSD checks all ccaches found in the 'ccacheFile' > > attributes in the cache for still valid and renewable tickets. > > > > So I assume that on the RHEL7 system you logged in via SSSD once so that > > the ccache KEYRING:persistent:60483 is stored in the cache for the user > > while on RHEL8 this is not the case. You can check this with the > > ldbsearch utility for the ldb-tools package: > > > > ldbsearch -H /var/lib/sss/db/cache_YOUR.DOMAIN.NAME.ldb | less > > > > HTH > > > > bye, > > Sumit > > > > > > > > Thanks. > > > > > _______________________________________________ > > > sssd-users mailing list -- [email protected] > > > To unsubscribe send an email to [email protected] > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/[email protected] > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
