On Fri, May 31, 2019 at 01:01:27PM +0000, Winberg Adam wrote:
Ok, doing that on RHEL7 yielded the following log message:
[check_ccache_files] (0x0200): Failed to check ccache file [KEYRING:persistent:60483]
On RHEL8 I get a bit more:
/var/log/sssd/krb5_child.log
[unpack_buffer] (0x0100): ccname: [KEYRING:persistent:60483] old_ccname:
[KEYRING:persistent:60483] keytab: [/etc/krb5.keytab]
[k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:60483] and is active
and TGT is valid.
[sss_get_ccache_name_for_principal] (0x4000): Location: [KEYRING:persistent:60483]
[sss_get_ccache_name_for_principal] (0x4000): tmp_ccname:
[KEYRING:persistent:60483:krb_ccache_0AxONF2]
[create_ccache] (0x4000): Initializing ccache of type [KEYRING]
/var/log/sssd/sssd_ad.example.com.log
[krb5_mod_ccname] (0x4000): Save ccname [KEYRING:persistent:60483] for user
[a001329(a)ad.example.com].
[krb5_auth_done] (0x1000): Adding [KEYRING:persistent:60483] for automatic renewal.
[add_tgt_to_renew_table] (0x1000): Added [KEYRING:persistent:60483] for renewal at [Fri
May 31 12:57:09 2019].
[check_ccache_files] (0x0200): Failed to check ccache file [KEYRING:persistent:60483].
Looks like it's initializing my cache for renewal. But shouldnt that happen on login
then?
Yes, but as said, as long as the 'ccacheFile' attribute is present SSSD
will add it at startup as well. It is hard to understand what is going
on with just the short log snippets, e.g. if the krb5_child messages are
from a login or renewal attempt and why check_ccache_files wrote an
error message. Feel free to send me the full logs directly.
bye,
Sumit
>
>
> Adam Winberg
> ITpc
>
> SMHI
> Telefon 011-4958058 Fax 011-4958350
> Epost Adam.Winberg(a)smhi.se
> 601 76 Norrköping Besöksadress Folkborgsvägen 1
>
www.smhi.se
>
> ________________________________________
> From: Sumit Bose [sbose(a)redhat.com]
> Sent: 31 May 2019 14:29
> To: sssd-users(a)lists.fedorahosted.org
> Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi
>
> On Fri, May 31, 2019 at 12:05:46PM +0000, Winberg Adam wrote:
> > Yes, klist on RHEL8 after login shows
> >
> > Ticket cache: KEYRING:persistent:60483:krb_ccache_0AxONF2
> >
> > Same as on RHEL7.
> >
> > Restarting SSSD does nothing to my ticket on neither RHEL7 or RHEL8, but I guess
my ticket lifetime has to have exceeded half the lifetime or something like that for
renewal to take place? My ticket is pretty new...
>
> Yes.
>
> As an alternative you can add 'debug_level=9' to the [domain/...]
> section of sssd.conf, restart SSSD and look for "Adding
> [KEYRING:persistent:60483] for automatic renewal" messages in the domain
> log.
>
> bye,
> Sumit
>
> >
> > //Adam
> >
> > ________________________________________
> > From: Sumit Bose [sbose(a)redhat.com]
> > Sent: 31 May 2019 13:52
> > To: sssd-users(a)lists.fedorahosted.org
> > Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi
> >
> > On Fri, May 31, 2019 at 11:26:46AM +0000, Winberg Adam wrote:
> > > Aha, interesting. Thank you for a very thorough answer.
> > >
> > > So, on my RHEL8 box the ldbsearch command shows the following attribute for
my user:
> > >
> > > ccacheFile: KEYRING:persistent:60483
> > >
> > > which is exactly the same as on my RHEL7 box.
> >
> > Hi,
> >
> > just to be on the safe side, 'KEYRING:persistent:60483' is also used by
> > sshd on RHEL8, so after logging in with ssh/GSSAPI 'klist' shows the
forwarded
> > ticket in this ccache?
> >
> > Have you tried to restart SSSD on RHEL8 as long as there is a valid and
> > renewable ticket in KEYRING:persistent:60483?
> >
> > bye,
> > Sumit
> >
> > >
> > > //Adam
> > >
> > > ________________________________________
> > > From: Sumit Bose [sbose(a)redhat.com]
> > > Sent: 31 May 2019 13:07
> > > To: sssd-users(a)lists.fedorahosted.org
> > > Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi
> > >
> > > On Fri, May 31, 2019 at 05:38:23AM +0000, Winberg Adam wrote:
> > > > Ok, so this is an old subject. I know that SSSD can only renew
kerberos tickets which it itself has generated which is part of the reason for KCM. But
trying out RHEL8, with KCM disabled (because of some weird behaviour reported in a
bugzilla ticket), I am affected by this much more than on RHEL7. On RHEL7, sssd manages to
renew my kerberos ticket even if I login to the server with sshd GSSAPI and forwarded
credentials ('GSSAPIDelegateCredentials yes'). I am not sure why this works on
RHEL7 when it according to documentation should not.
> > > >
> > > > On RHEL7, the krb5_child.log clearly shows that SSSD renews my
ticket:
> > > >
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main]
(0x0400): krb5_child started.
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer]
(0x1000): total buffer size: [163]
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer]
(0x0100): cmd [248] uid [60483] gid [102] validate [true] enterprise principal [false]
offline [false] UPN [a001329(a)AD.EXAMPLE.COM]
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer]
(0x0100): ccname: [KEYRING:persistent:60483] old_ccname: [KEYRING:persistent:60483]
keytab: [/etc/krb5.keytab]
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]]
[check_use_fast] (0x0100): Not using FAST.
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds]
(0x0200): Switch user to [60483][102].
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds]
(0x0200): Switch user to [0][0].
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [become_user]
(0x0200): Trying to become user [60483][102].
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main]
(0x2000): Running as [60483][102].
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_setup]
(0x2000): Running as [60483][102].
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]]
[set_lifetime_options] (0x0100): Renewable lifetime is set to [7d]
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]]
[set_lifetime_options] (0x0100): No specific lifetime requested.
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]]
[set_canonicalize_option] (0x0100): Canonicalization is set to [true]
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main]
(0x0400): Will perform ticket renewal
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]]
[renew_tgt_child] (0x1000): Renewing a ticket
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt]
(0x2000): Found keytab entry with the realm of the credential.
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt]
(0x0400): TGT verified using key for [LXSERV940$(a)AD.EXAMPLE.COM].
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [sss_send_pac]
(0x0400): PAC responder contacted. It might take a bit of time in case the cache is not up
to date.
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_send_data]
(0x0200): Received error code 0
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]]
[pack_response_packet] (0x2000): response packet size: [115]
> > > > (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main]
(0x0400): krb5_child completed successfully
> > > >
> > > > And as I said, this ticket is forwarded via SSH (logging in to the
server via ssh with sssd debugging on yields no log at all from krb5_child, so SSSD is not
involved in getting the ticket).
> > > >
> > > > So, how does this work on RHEL7 and why does it not work on RHEL8?
> > >
> > > Hi,
> > >
> > > if SSSD is used for authentication it saves the name of the credential
> > > cache to the 'ccacheFile' attribute in the cache. This is mainly
doen to
> > > keep track the FILE based ccaches with a random component in the name.
> > >
> > > The ccache is added to a renewal list either when SSSD handles or login.
> > > Or at startup where SSSD checks all ccaches found in the
'ccacheFile'
> > > attributes in the cache for still valid and renewable tickets.
> > >
> > > So I assume that on the RHEL7 system you logged in via SSSD once so that
> > > the ccache KEYRING:persistent:60483 is stored in the cache for the user
> > > while on RHEL8 this is not the case. You can check this with the
> > > ldbsearch utility for the ldb-tools package:
> > >
> > > ldbsearch -H /var/lib/sss/db/cache_YOUR.DOMAIN.NAME.ldb | less
> > >
> > > HTH
> > >
> > > bye,
> > > Sumit
> > >
> > > >
> > > > Thanks.
> > >
> > > > _______________________________________________
> > > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > > To unsubscribe send an email to
sssd-users-leave(a)lists.fedorahosted.org
> > > > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...