Am Mon, Mar 21, 2022 at 10:55:00AM -0000 schrieb Francis Augusto Medeiros-Logeay: > Hi, > I currently have some machines that joined a domain on Active > Directory, and we were dealing with the challenges of renewing tickets > beyond the TGT "renew until" limit. I realised that after version > 2.5.0 it is now possible to configure the `tgt_renewal=true`. I > changed our configuration to use KCM to store the tickets.
Hi, you cannot renew a ticket after the 'renew until' time is reached. The ticket has two lifetimes. First is the lifetime of the current ticket (krb5_lifetime in sssd.conf, ticket_lifetime in krb5.conf) which specifies how long the ticket is valid. The renew lifetime (krb5_renewable_lifetime in sssd.conf, renew_lifetime in krb5.conf) is optional can can be set by the KDC if requested, but the KDC can as well not set it even if it is requested if the KDC is configured to not support renewable ticket. The renew lifetime is longer than the ticket lifetime, e.g 1d ticket lifetime, 7d renew lifetime. With this, as long as the ticket is valid, i.e. it's lifetime is not passed, a new ticket can be request which has again a lifetime of 1d starting from the renew request. But this only work until the 'renew until' time is reached, e.g. for one week. After that time you have to request a fresh ticket again with your password, keytab etc. HTH bye, Sumit > > To test, I get one-day valid TGT's, and saw that the tickets do not > get renewed by themselves, and I wonder if I missed a step when > configuring AD and/or the clients. > > Here's a bit of my configuration: > > /etc/sssd/sssd.conf: > > ``` > [domain/MYDOMAIN.COM] > id_provider = ad > auth_provider = ad > access_provider = ad > autofs_provider = ad > chpass_provider = ad > ldap_id_mapping = false > ldap_user_principal = nosuchattribute > > # getent on users with more -- results in a lot of noise > enumerate = false > cache_credentials = true > > # Setup schema, rfc2307 is for OpenLDAP, rfc2307bis is A/D-close, and ad is > A/D > #ldap_schema = rfc2307 > dns_discovery_domain = mydomain.com > > krb5_realm = MYDOMAIN.COM > # how long including renewals may a ticket be valid for > krb5_renewable_lifetime = 1d > # time in seconds between checking if a ticket must be renewed > krb5_renew_interval = 3600 > # template used for placing kerberos tickets by default > # krb5_ccname_template = FILE:%d/krb5cc_%U > ad_gpo_map_interactive = +gdm-vmwcred > #tgt_renewal = true > > [kcm] > tgt_renewal = true > tgt_renewal_inherit = MYDOMAIN.COM > krb5_renew_interval = 60m > debug_level = 10 > socket_patch = /var/run/.heim_org.h5l.kcm-socket > ``` > > And /etc/krb5.conf: > > ``` > [libdefaults] > default_ccache_name = KCM: > kcm_socket = /var/run/.heim_org.h5l.kcm-socket > ``` > > Anything else I should have done? I see that the tickets are stored on KCM, > but I don't know why they aren't been renewed. > > Best, > > Francis > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
