Hello Everyone,
there seems to be a problem with the KRB TGT auto-renewal feature of
SSSD in version 1.12.2.
I have this config in sssd.conf:
-----------------------------
krb5_renew_interval = 60
-----------------------------
We are using the AD plugin, the KRB plugin is not installed but
krb-common (i.e. krb5_child, ldap_child, libsss_krb5_common.so).
#Everything works fine, except auto-renewal!
See the following example:
-----------------------------
$ kinit -l 10m
Password for ne96soh(a)ADS.MWN.DE:
$ klist
Ticket cache: KEYRING:persistent:3036404:krb_ccache_G0haM75
Default principal: user@REALM
Valid starting Expires Service principal
12/01/2014 16:59:00 12/01/2014 17:08:58 krbtgt/REALM@REALM
renew until 12/08/2014 16:59:00
$ sleep 601
$ klist
klist: Credentials cache keyring 'persistent:3036404:krb_ccache_G0haM75'
not found
-----------------------------
=> Ticket did not get renewed after >5minutes of its lifetime or at all,
but expires instead.
I also have this behavior with 'traditional' dir-based cache
collections... it does bot work there as well.
Also note that SSSD continues to set timeouts to check for renewal even
after the cache is gone:
-----------------------------
(Mon Dec 1 17:08:09 2014) [sssd[be[default]]] [renew_all_tgts]
(0x4000): Checking [KEYRING:persistent:3036404] for renewal at [Mon Dec
1 17:08:09 2014].
###### Ticket expired here ######
(Mon Dec 1 17:09:09 2014) [sssd[be[default]]] [renew_all_tgts]
(0x4000): Checking [KEYRING:persistent:3036404] for renewal at [Mon Dec
1 17:09:09 2014].
(Mon Dec 1 17:10:09 2014) [sssd[be[default]]] [renew_all_tgts]
(0x4000): Checking [KEYRING:persistent:3036404] for renewal at [Mon Dec
1 17:10:09 2014].
(Mon Dec 1 17:11:09 2014) [sssd[be[default]]] [renew_all_tgts]
(0x4000): Checking [KEYRING:persistent:3036404] for renewal at [Mon Dec
1 17:11:09 2014].
(Mon Dec 1 17:12:09 2014) [sssd[be[default]]] [renew_all_tgts]
(0x4000): Checking [KEYRING:persistent:3036404] for renewal at [Mon Dec
1 17:12:09 2014].
(Mon Dec 1 17:13:09 2014) [sssd[be[default]]] [renew_all_tgts]
(0x4000): Checking [KEYRING:persistent:3036404] for renewal at [Mon Dec
1 17:13:09 2014]
...
-----------------------------
But maybe seems to be normal as its only checking for something renewable?
Best regards,
J Brauchle
Attachments:
- smime.p7s
(application/pkcs7-signature — 4.8 KB)
Show replies by thread