Hi, I currently have some machines that joined a domain on Active Directory, and we were dealing with the challenges of renewing tickets beyond the TGT "renew until" limit. I realised that after version 2.5.0 it is now possible to configure the `tgt_renewal=true`. I changed our configuration to use KCM to store the tickets.
To test, I get one-day valid TGT's, and saw that the tickets do not get renewed by themselves, and I wonder if I missed a step when configuring AD and/or the clients.
Here's a bit of my configuration:
/etc/sssd/sssd.conf:
``` [domain/MYDOMAIN.COM] id_provider = ad auth_provider = ad access_provider = ad autofs_provider = ad chpass_provider = ad ldap_id_mapping = false ldap_user_principal = nosuchattribute
# getent on users with more -- results in a lot of noise enumerate = false cache_credentials = true
# Setup schema, rfc2307 is for OpenLDAP, rfc2307bis is A/D-close, and ad is A/D #ldap_schema = rfc2307 dns_discovery_domain = mydomain.com
krb5_realm = MYDOMAIN.COM # how long including renewals may a ticket be valid for krb5_renewable_lifetime = 1d # time in seconds between checking if a ticket must be renewed krb5_renew_interval = 3600 # template used for placing kerberos tickets by default # krb5_ccname_template = FILE:%d/krb5cc_%U ad_gpo_map_interactive = +gdm-vmwcred #tgt_renewal = true
[kcm] tgt_renewal = true tgt_renewal_inherit = MYDOMAIN.COM krb5_renew_interval = 60m debug_level = 10 socket_patch = /var/run/.heim_org.h5l.kcm-socket ```
And /etc/krb5.conf:
``` [libdefaults] default_ccache_name = KCM: kcm_socket = /var/run/.heim_org.h5l.kcm-socket ```
Anything else I should have done? I see that the tickets are stored on KCM, but I don't know why they aren't been renewed.
Best,
Francis
Am Mon, Mar 21, 2022 at 10:55:00AM -0000 schrieb Francis Augusto Medeiros-Logeay:
Hi, I currently have some machines that joined a domain on Active Directory, and we were dealing with the challenges of renewing tickets beyond the TGT "renew until" limit. I realised that after version 2.5.0 it is now possible to configure the `tgt_renewal=true`. I changed our configuration to use KCM to store the tickets.
Hi,
you cannot renew a ticket after the 'renew until' time is reached. The ticket has two lifetimes. First is the lifetime of the current ticket (krb5_lifetime in sssd.conf, ticket_lifetime in krb5.conf) which specifies how long the ticket is valid.
The renew lifetime (krb5_renewable_lifetime in sssd.conf, renew_lifetime in krb5.conf) is optional can can be set by the KDC if requested, but the KDC can as well not set it even if it is requested if the KDC is configured to not support renewable ticket. The renew lifetime is longer than the ticket lifetime, e.g 1d ticket lifetime, 7d renew lifetime. With this, as long as the ticket is valid, i.e. it's lifetime is not passed, a new ticket can be request which has again a lifetime of 1d starting from the renew request. But this only work until the 'renew until' time is reached, e.g. for one week. After that time you have to request a fresh ticket again with your password, keytab etc.
HTH
bye, Sumit
To test, I get one-day valid TGT's, and saw that the tickets do not get renewed by themselves, and I wonder if I missed a step when configuring AD and/or the clients.
Here's a bit of my configuration:
/etc/sssd/sssd.conf:
[domain/MYDOMAIN.COM] id_provider = ad auth_provider = ad access_provider = ad autofs_provider = ad chpass_provider = ad ldap_id_mapping = false ldap_user_principal = nosuchattribute # getent on users with more -- results in a lot of noise enumerate = false cache_credentials = true # Setup schema, rfc2307 is for OpenLDAP, rfc2307bis is A/D-close, and ad is A/D #ldap_schema = rfc2307 dns_discovery_domain = mydomain.com krb5_realm = MYDOMAIN.COM # how long including renewals may a ticket be valid for krb5_renewable_lifetime = 1d # time in seconds between checking if a ticket must be renewed krb5_renew_interval = 3600 # template used for placing kerberos tickets by default # krb5_ccname_template = FILE:%d/krb5cc_%U ad_gpo_map_interactive = +gdm-vmwcred #tgt_renewal = true [kcm] tgt_renewal = true tgt_renewal_inherit = MYDOMAIN.COM krb5_renew_interval = 60m debug_level = 10 socket_patch = /var/run/.heim_org.h5l.kcm-socket
And /etc/krb5.conf:
[libdefaults] default_ccache_name = KCM: kcm_socket = /var/run/.heim_org.h5l.kcm-socket
Anything else I should have done? I see that the tickets are stored on KCM, but I don't know why they aren't been renewed.
Best,
Francis _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi Sumit,
Thanks for the answer. I hear what you are saying, but I guess you are not taking into account the new `tgt_renewal` option that was introduced on sssd 2.5.0, which might be able to renew the TGT itself.
Best, Francis
Am Mon, Mar 21, 2022 at 12:54:19PM -0000 schrieb Francis Augusto Medeiros-Logeay:
Hi Sumit,
Thanks for the answer. I hear what you are saying, but I guess you are not taking into account the new `tgt_renewal` option that was introduced on sssd 2.5.0, which might be able to renew the TGT itself.
Hi,
no, when I was taking about a Kerberos ticket I meant the TGT. The 'tgt_renewal' option automates the process of calling 'kinit -R' but it has not means to make the renewal longer than the 'renew until' time.
bye, Sumit
Best, Francis _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
I see. Is there any strategy to automate the renewal of the TGT without the user having to manually do a `kinit` and type the passwords? I have seen on the internet that some people cache the credentials on a keytab, but I wish there was an option that was a bit more elegant and without the user having to type his password.
sssd-users@lists.fedorahosted.org