Ok, so this is an old subject. I know that SSSD can only renew kerberos tickets which it itself has generated which is part of the reason for KCM. But trying out RHEL8, with KCM disabled (because of some weird behaviour reported in a bugzilla ticket), I am affected by this much more than on RHEL7. On RHEL7, sssd manages to renew my kerberos ticket even if I login to the server with sshd GSSAPI and forwarded credentials ('GSSAPIDelegateCredentials yes'). I am not sure why this works on RHEL7 when it according to documentation should not.
On RHEL7, the krb5_child.log clearly shows that SSSD renews my ticket:
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): krb5_child started. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x1000): total buffer size: [163] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x0100): cmd [248] uid [60483] gid [102] validate [true] enterprise principal [false] offline [false] UPN [a001329@AD.EXAMPLE.COM] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:60483] old_ccname: [KEYRING:persistent:60483] keytab: [/etc/krb5.keytab] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [check_use_fast] (0x0100): Not using FAST. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200): Switch user to [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [become_user] (0x0200): Trying to become user [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x2000): Running as [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_setup] (0x2000): Running as [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): Will perform ticket renewal (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [renew_tgt_child] (0x1000): Renewing a ticket (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x2000): Found keytab entry with the realm of the credential. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x0400): TGT verified using key for [LXSERV940$@AD.EXAMPLE.COM]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [sss_send_pac] (0x0400): PAC responder contacted. It might take a bit of time in case the cache is not up to date. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_send_data] (0x0200): Received error code 0 (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [pack_response_packet] (0x2000): response packet size: [115] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): krb5_child completed successfully
And as I said, this ticket is forwarded via SSH (logging in to the server via ssh with sssd debugging on yields no log at all from krb5_child, so SSSD is not involved in getting the ticket).
So, how does this work on RHEL7 and why does it not work on RHEL8?
Thanks.
On Fri, May 31, 2019 at 05:38:23AM +0000, Winberg Adam wrote:
Ok, so this is an old subject. I know that SSSD can only renew kerberos tickets which it itself has generated which is part of the reason for KCM. But trying out RHEL8, with KCM disabled (because of some weird behaviour reported in a bugzilla ticket), I am affected by this much more than on RHEL7. On RHEL7, sssd manages to renew my kerberos ticket even if I login to the server with sshd GSSAPI and forwarded credentials ('GSSAPIDelegateCredentials yes'). I am not sure why this works on RHEL7 when it according to documentation should not.
On RHEL7, the krb5_child.log clearly shows that SSSD renews my ticket:
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): krb5_child started. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x1000): total buffer size: [163] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x0100): cmd [248] uid [60483] gid [102] validate [true] enterprise principal [false] offline [false] UPN [a001329@AD.EXAMPLE.COM] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:60483] old_ccname: [KEYRING:persistent:60483] keytab: [/etc/krb5.keytab] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [check_use_fast] (0x0100): Not using FAST. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200): Switch user to [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [become_user] (0x0200): Trying to become user [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x2000): Running as [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_setup] (0x2000): Running as [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): Will perform ticket renewal (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [renew_tgt_child] (0x1000): Renewing a ticket (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x2000): Found keytab entry with the realm of the credential. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x0400): TGT verified using key for [LXSERV940$@AD.EXAMPLE.COM]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [sss_send_pac] (0x0400): PAC responder contacted. It might take a bit of time in case the cache is not up to date. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_send_data] (0x0200): Received error code 0 (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [pack_response_packet] (0x2000): response packet size: [115] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): krb5_child completed successfully
And as I said, this ticket is forwarded via SSH (logging in to the server via ssh with sssd debugging on yields no log at all from krb5_child, so SSSD is not involved in getting the ticket).
So, how does this work on RHEL7 and why does it not work on RHEL8?
Hi,
if SSSD is used for authentication it saves the name of the credential cache to the 'ccacheFile' attribute in the cache. This is mainly doen to keep track the FILE based ccaches with a random component in the name.
The ccache is added to a renewal list either when SSSD handles or login. Or at startup where SSSD checks all ccaches found in the 'ccacheFile' attributes in the cache for still valid and renewable tickets.
So I assume that on the RHEL7 system you logged in via SSSD once so that the ccache KEYRING:persistent:60483 is stored in the cache for the user while on RHEL8 this is not the case. You can check this with the ldbsearch utility for the ldb-tools package:
ldbsearch -H /var/lib/sss/db/cache_YOUR.DOMAIN.NAME.ldb | less
HTH
bye, Sumit
Thanks.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Aha, interesting. Thank you for a very thorough answer.
So, on my RHEL8 box the ldbsearch command shows the following attribute for my user:
ccacheFile: KEYRING:persistent:60483
which is exactly the same as on my RHEL7 box.
//Adam
________________________________________ From: Sumit Bose [sbose@redhat.com] Sent: 31 May 2019 13:07 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi
On Fri, May 31, 2019 at 05:38:23AM +0000, Winberg Adam wrote:
Ok, so this is an old subject. I know that SSSD can only renew kerberos tickets which it itself has generated which is part of the reason for KCM. But trying out RHEL8, with KCM disabled (because of some weird behaviour reported in a bugzilla ticket), I am affected by this much more than on RHEL7. On RHEL7, sssd manages to renew my kerberos ticket even if I login to the server with sshd GSSAPI and forwarded credentials ('GSSAPIDelegateCredentials yes'). I am not sure why this works on RHEL7 when it according to documentation should not.
On RHEL7, the krb5_child.log clearly shows that SSSD renews my ticket:
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): krb5_child started. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x1000): total buffer size: [163] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x0100): cmd [248] uid [60483] gid [102] validate [true] enterprise principal [false] offline [false] UPN [a001329@AD.EXAMPLE.COM] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:60483] old_ccname: [KEYRING:persistent:60483] keytab: [/etc/krb5.keytab] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [check_use_fast] (0x0100): Not using FAST. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200): Switch user to [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [become_user] (0x0200): Trying to become user [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x2000): Running as [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_setup] (0x2000): Running as [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): Will perform ticket renewal (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [renew_tgt_child] (0x1000): Renewing a ticket (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x2000): Found keytab entry with the realm of the credential. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x0400): TGT verified using key for [LXSERV940$@AD.EXAMPLE.COM]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [sss_send_pac] (0x0400): PAC responder contacted. It might take a bit of time in case the cache is not up to date. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_send_data] (0x0200): Received error code 0 (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [pack_response_packet] (0x2000): response packet size: [115] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): krb5_child completed successfully
And as I said, this ticket is forwarded via SSH (logging in to the server via ssh with sssd debugging on yields no log at all from krb5_child, so SSSD is not involved in getting the ticket).
So, how does this work on RHEL7 and why does it not work on RHEL8?
Hi,
if SSSD is used for authentication it saves the name of the credential cache to the 'ccacheFile' attribute in the cache. This is mainly doen to keep track the FILE based ccaches with a random component in the name.
The ccache is added to a renewal list either when SSSD handles or login. Or at startup where SSSD checks all ccaches found in the 'ccacheFile' attributes in the cache for still valid and renewable tickets.
So I assume that on the RHEL7 system you logged in via SSSD once so that the ccache KEYRING:persistent:60483 is stored in the cache for the user while on RHEL8 this is not the case. You can check this with the ldbsearch utility for the ldb-tools package:
ldbsearch -H /var/lib/sss/db/cache_YOUR.DOMAIN.NAME.ldb | less
HTH
bye, Sumit
Thanks.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Fri, May 31, 2019 at 11:26:46AM +0000, Winberg Adam wrote:
Aha, interesting. Thank you for a very thorough answer.
So, on my RHEL8 box the ldbsearch command shows the following attribute for my user:
ccacheFile: KEYRING:persistent:60483
which is exactly the same as on my RHEL7 box.
Hi,
just to be on the safe side, 'KEYRING:persistent:60483' is also used by sshd on RHEL8, so after logging in with ssh/GSSAPI 'klist' shows the forwarded ticket in this ccache?
Have you tried to restart SSSD on RHEL8 as long as there is a valid and renewable ticket in KEYRING:persistent:60483?
bye, Sumit
//Adam
From: Sumit Bose [sbose@redhat.com] Sent: 31 May 2019 13:07 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi
On Fri, May 31, 2019 at 05:38:23AM +0000, Winberg Adam wrote:
Ok, so this is an old subject. I know that SSSD can only renew kerberos tickets which it itself has generated which is part of the reason for KCM. But trying out RHEL8, with KCM disabled (because of some weird behaviour reported in a bugzilla ticket), I am affected by this much more than on RHEL7. On RHEL7, sssd manages to renew my kerberos ticket even if I login to the server with sshd GSSAPI and forwarded credentials ('GSSAPIDelegateCredentials yes'). I am not sure why this works on RHEL7 when it according to documentation should not.
On RHEL7, the krb5_child.log clearly shows that SSSD renews my ticket:
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): krb5_child started. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x1000): total buffer size: [163] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x0100): cmd [248] uid [60483] gid [102] validate [true] enterprise principal [false] offline [false] UPN [a001329@AD.EXAMPLE.COM] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:60483] old_ccname: [KEYRING:persistent:60483] keytab: [/etc/krb5.keytab] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [check_use_fast] (0x0100): Not using FAST. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200): Switch user to [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [become_user] (0x0200): Trying to become user [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x2000): Running as [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_setup] (0x2000): Running as [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): Will perform ticket renewal (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [renew_tgt_child] (0x1000): Renewing a ticket (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x2000): Found keytab entry with the realm of the credential. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x0400): TGT verified using key for [LXSERV940$@AD.EXAMPLE.COM]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [sss_send_pac] (0x0400): PAC responder contacted. It might take a bit of time in case the cache is not up to date. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_send_data] (0x0200): Received error code 0 (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [pack_response_packet] (0x2000): response packet size: [115] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): krb5_child completed successfully
And as I said, this ticket is forwarded via SSH (logging in to the server via ssh with sssd debugging on yields no log at all from krb5_child, so SSSD is not involved in getting the ticket).
So, how does this work on RHEL7 and why does it not work on RHEL8?
Hi,
if SSSD is used for authentication it saves the name of the credential cache to the 'ccacheFile' attribute in the cache. This is mainly doen to keep track the FILE based ccaches with a random component in the name.
The ccache is added to a renewal list either when SSSD handles or login. Or at startup where SSSD checks all ccaches found in the 'ccacheFile' attributes in the cache for still valid and renewable tickets.
So I assume that on the RHEL7 system you logged in via SSSD once so that the ccache KEYRING:persistent:60483 is stored in the cache for the user while on RHEL8 this is not the case. You can check this with the ldbsearch utility for the ldb-tools package:
ldbsearch -H /var/lib/sss/db/cache_YOUR.DOMAIN.NAME.ldb | less
HTH
bye, Sumit
Thanks.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Yes, klist on RHEL8 after login shows
Ticket cache: KEYRING:persistent:60483:krb_ccache_0AxONF2
Same as on RHEL7.
Restarting SSSD does nothing to my ticket on neither RHEL7 or RHEL8, but I guess my ticket lifetime has to have exceeded half the lifetime or something like that for renewal to take place? My ticket is pretty new...
//Adam
________________________________________ From: Sumit Bose [sbose@redhat.com] Sent: 31 May 2019 13:52 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi
On Fri, May 31, 2019 at 11:26:46AM +0000, Winberg Adam wrote:
Aha, interesting. Thank you for a very thorough answer.
So, on my RHEL8 box the ldbsearch command shows the following attribute for my user:
ccacheFile: KEYRING:persistent:60483
which is exactly the same as on my RHEL7 box.
Hi,
just to be on the safe side, 'KEYRING:persistent:60483' is also used by sshd on RHEL8, so after logging in with ssh/GSSAPI 'klist' shows the forwarded ticket in this ccache?
Have you tried to restart SSSD on RHEL8 as long as there is a valid and renewable ticket in KEYRING:persistent:60483?
bye, Sumit
//Adam
From: Sumit Bose [sbose@redhat.com] Sent: 31 May 2019 13:07 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi
On Fri, May 31, 2019 at 05:38:23AM +0000, Winberg Adam wrote:
Ok, so this is an old subject. I know that SSSD can only renew kerberos tickets which it itself has generated which is part of the reason for KCM. But trying out RHEL8, with KCM disabled (because of some weird behaviour reported in a bugzilla ticket), I am affected by this much more than on RHEL7. On RHEL7, sssd manages to renew my kerberos ticket even if I login to the server with sshd GSSAPI and forwarded credentials ('GSSAPIDelegateCredentials yes'). I am not sure why this works on RHEL7 when it according to documentation should not.
On RHEL7, the krb5_child.log clearly shows that SSSD renews my ticket:
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): krb5_child started. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x1000): total buffer size: [163] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x0100): cmd [248] uid [60483] gid [102] validate [true] enterprise principal [false] offline [false] UPN [a001329@AD.EXAMPLE.COM] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:60483] old_ccname: [KEYRING:persistent:60483] keytab: [/etc/krb5.keytab] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [check_use_fast] (0x0100): Not using FAST. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200): Switch user to [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [become_user] (0x0200): Trying to become user [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x2000): Running as [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_setup] (0x2000): Running as [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): Will perform ticket renewal (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [renew_tgt_child] (0x1000): Renewing a ticket (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x2000): Found keytab entry with the realm of the credential. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x0400): TGT verified using key for [LXSERV940$@AD.EXAMPLE.COM]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [sss_send_pac] (0x0400): PAC responder contacted. It might take a bit of time in case the cache is not up to date. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_send_data] (0x0200): Received error code 0 (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [pack_response_packet] (0x2000): response packet size: [115] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): krb5_child completed successfully
And as I said, this ticket is forwarded via SSH (logging in to the server via ssh with sssd debugging on yields no log at all from krb5_child, so SSSD is not involved in getting the ticket).
So, how does this work on RHEL7 and why does it not work on RHEL8?
Hi,
if SSSD is used for authentication it saves the name of the credential cache to the 'ccacheFile' attribute in the cache. This is mainly doen to keep track the FILE based ccaches with a random component in the name.
The ccache is added to a renewal list either when SSSD handles or login. Or at startup where SSSD checks all ccaches found in the 'ccacheFile' attributes in the cache for still valid and renewable tickets.
So I assume that on the RHEL7 system you logged in via SSSD once so that the ccache KEYRING:persistent:60483 is stored in the cache for the user while on RHEL8 this is not the case. You can check this with the ldbsearch utility for the ldb-tools package:
ldbsearch -H /var/lib/sss/db/cache_YOUR.DOMAIN.NAME.ldb | less
HTH
bye, Sumit
Thanks.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Fri, May 31, 2019 at 12:05:46PM +0000, Winberg Adam wrote:
Yes, klist on RHEL8 after login shows
Ticket cache: KEYRING:persistent:60483:krb_ccache_0AxONF2
Same as on RHEL7.
Restarting SSSD does nothing to my ticket on neither RHEL7 or RHEL8, but I guess my ticket lifetime has to have exceeded half the lifetime or something like that for renewal to take place? My ticket is pretty new...
Yes.
As an alternative you can add 'debug_level=9' to the [domain/...] section of sssd.conf, restart SSSD and look for "Adding [KEYRING:persistent:60483] for automatic renewal" messages in the domain log.
bye, Sumit
//Adam
From: Sumit Bose [sbose@redhat.com] Sent: 31 May 2019 13:52 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi
On Fri, May 31, 2019 at 11:26:46AM +0000, Winberg Adam wrote:
Aha, interesting. Thank you for a very thorough answer.
So, on my RHEL8 box the ldbsearch command shows the following attribute for my user:
ccacheFile: KEYRING:persistent:60483
which is exactly the same as on my RHEL7 box.
Hi,
just to be on the safe side, 'KEYRING:persistent:60483' is also used by sshd on RHEL8, so after logging in with ssh/GSSAPI 'klist' shows the forwarded ticket in this ccache?
Have you tried to restart SSSD on RHEL8 as long as there is a valid and renewable ticket in KEYRING:persistent:60483?
bye, Sumit
//Adam
From: Sumit Bose [sbose@redhat.com] Sent: 31 May 2019 13:07 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi
On Fri, May 31, 2019 at 05:38:23AM +0000, Winberg Adam wrote:
Ok, so this is an old subject. I know that SSSD can only renew kerberos tickets which it itself has generated which is part of the reason for KCM. But trying out RHEL8, with KCM disabled (because of some weird behaviour reported in a bugzilla ticket), I am affected by this much more than on RHEL7. On RHEL7, sssd manages to renew my kerberos ticket even if I login to the server with sshd GSSAPI and forwarded credentials ('GSSAPIDelegateCredentials yes'). I am not sure why this works on RHEL7 when it according to documentation should not.
On RHEL7, the krb5_child.log clearly shows that SSSD renews my ticket:
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): krb5_child started. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x1000): total buffer size: [163] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x0100): cmd [248] uid [60483] gid [102] validate [true] enterprise principal [false] offline [false] UPN [a001329@AD.EXAMPLE.COM] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:60483] old_ccname: [KEYRING:persistent:60483] keytab: [/etc/krb5.keytab] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [check_use_fast] (0x0100): Not using FAST. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200): Switch user to [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [become_user] (0x0200): Trying to become user [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x2000): Running as [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_setup] (0x2000): Running as [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): Will perform ticket renewal (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [renew_tgt_child] (0x1000): Renewing a ticket (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x2000): Found keytab entry with the realm of the credential. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x0400): TGT verified using key for [LXSERV940$@AD.EXAMPLE.COM]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [sss_send_pac] (0x0400): PAC responder contacted. It might take a bit of time in case the cache is not up to date. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_send_data] (0x0200): Received error code 0 (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [pack_response_packet] (0x2000): response packet size: [115] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): krb5_child completed successfully
And as I said, this ticket is forwarded via SSH (logging in to the server via ssh with sssd debugging on yields no log at all from krb5_child, so SSSD is not involved in getting the ticket).
So, how does this work on RHEL7 and why does it not work on RHEL8?
Hi,
if SSSD is used for authentication it saves the name of the credential cache to the 'ccacheFile' attribute in the cache. This is mainly doen to keep track the FILE based ccaches with a random component in the name.
The ccache is added to a renewal list either when SSSD handles or login. Or at startup where SSSD checks all ccaches found in the 'ccacheFile' attributes in the cache for still valid and renewable tickets.
So I assume that on the RHEL7 system you logged in via SSSD once so that the ccache KEYRING:persistent:60483 is stored in the cache for the user while on RHEL8 this is not the case. You can check this with the ldbsearch utility for the ldb-tools package:
ldbsearch -H /var/lib/sss/db/cache_YOUR.DOMAIN.NAME.ldb | less
HTH
bye, Sumit
Thanks.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Ok, doing that on RHEL7 yielded the following log message:
[check_ccache_files] (0x0200): Failed to check ccache file [KEYRING:persistent:60483]
On RHEL8 I get a bit more:
/var/log/sssd/krb5_child.log [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:60483] old_ccname: [KEYRING:persistent:60483] keytab: [/etc/krb5.keytab] [k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:60483] and is active and TGT is valid. [sss_get_ccache_name_for_principal] (0x4000): Location: [KEYRING:persistent:60483] [sss_get_ccache_name_for_principal] (0x4000): tmp_ccname: [KEYRING:persistent:60483:krb_ccache_0AxONF2] [create_ccache] (0x4000): Initializing ccache of type [KEYRING]
/var/log/sssd/sssd_ad.example.com.log [krb5_mod_ccname] (0x4000): Save ccname [KEYRING:persistent:60483] for user [a001329@ad.example.com]. [krb5_auth_done] (0x1000): Adding [KEYRING:persistent:60483] for automatic renewal. [add_tgt_to_renew_table] (0x1000): Added [KEYRING:persistent:60483] for renewal at [Fri May 31 12:57:09 2019]. [check_ccache_files] (0x0200): Failed to check ccache file [KEYRING:persistent:60483].
Looks like it's initializing my cache for renewal. But shouldnt that happen on login then?
Adam Winberg ITpc
SMHI Telefon 011-4958058 Fax 011-4958350 Epost Adam.Winberg@smhi.se 601 76 Norrköping Besöksadress Folkborgsvägen 1 www.smhi.se
________________________________________ From: Sumit Bose [sbose@redhat.com] Sent: 31 May 2019 14:29 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi
On Fri, May 31, 2019 at 12:05:46PM +0000, Winberg Adam wrote:
Yes, klist on RHEL8 after login shows
Ticket cache: KEYRING:persistent:60483:krb_ccache_0AxONF2
Same as on RHEL7.
Restarting SSSD does nothing to my ticket on neither RHEL7 or RHEL8, but I guess my ticket lifetime has to have exceeded half the lifetime or something like that for renewal to take place? My ticket is pretty new...
Yes.
As an alternative you can add 'debug_level=9' to the [domain/...] section of sssd.conf, restart SSSD and look for "Adding [KEYRING:persistent:60483] for automatic renewal" messages in the domain log.
bye, Sumit
//Adam
From: Sumit Bose [sbose@redhat.com] Sent: 31 May 2019 13:52 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi
On Fri, May 31, 2019 at 11:26:46AM +0000, Winberg Adam wrote:
Aha, interesting. Thank you for a very thorough answer.
So, on my RHEL8 box the ldbsearch command shows the following attribute for my user:
ccacheFile: KEYRING:persistent:60483
which is exactly the same as on my RHEL7 box.
Hi,
just to be on the safe side, 'KEYRING:persistent:60483' is also used by sshd on RHEL8, so after logging in with ssh/GSSAPI 'klist' shows the forwarded ticket in this ccache?
Have you tried to restart SSSD on RHEL8 as long as there is a valid and renewable ticket in KEYRING:persistent:60483?
bye, Sumit
//Adam
From: Sumit Bose [sbose@redhat.com] Sent: 31 May 2019 13:07 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi
On Fri, May 31, 2019 at 05:38:23AM +0000, Winberg Adam wrote:
Ok, so this is an old subject. I know that SSSD can only renew kerberos tickets which it itself has generated which is part of the reason for KCM. But trying out RHEL8, with KCM disabled (because of some weird behaviour reported in a bugzilla ticket), I am affected by this much more than on RHEL7. On RHEL7, sssd manages to renew my kerberos ticket even if I login to the server with sshd GSSAPI and forwarded credentials ('GSSAPIDelegateCredentials yes'). I am not sure why this works on RHEL7 when it according to documentation should not.
On RHEL7, the krb5_child.log clearly shows that SSSD renews my ticket:
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): krb5_child started. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x1000): total buffer size: [163] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x0100): cmd [248] uid [60483] gid [102] validate [true] enterprise principal [false] offline [false] UPN [a001329@AD.EXAMPLE.COM] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:60483] old_ccname: [KEYRING:persistent:60483] keytab: [/etc/krb5.keytab] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [check_use_fast] (0x0100): Not using FAST. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200): Switch user to [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [become_user] (0x0200): Trying to become user [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x2000): Running as [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_setup] (0x2000): Running as [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): Will perform ticket renewal (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [renew_tgt_child] (0x1000): Renewing a ticket (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x2000): Found keytab entry with the realm of the credential. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x0400): TGT verified using key for [LXSERV940$@AD.EXAMPLE.COM]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [sss_send_pac] (0x0400): PAC responder contacted. It might take a bit of time in case the cache is not up to date. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_send_data] (0x0200): Received error code 0 (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [pack_response_packet] (0x2000): response packet size: [115] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): krb5_child completed successfully
And as I said, this ticket is forwarded via SSH (logging in to the server via ssh with sssd debugging on yields no log at all from krb5_child, so SSSD is not involved in getting the ticket).
So, how does this work on RHEL7 and why does it not work on RHEL8?
Hi,
if SSSD is used for authentication it saves the name of the credential cache to the 'ccacheFile' attribute in the cache. This is mainly doen to keep track the FILE based ccaches with a random component in the name.
The ccache is added to a renewal list either when SSSD handles or login. Or at startup where SSSD checks all ccaches found in the 'ccacheFile' attributes in the cache for still valid and renewable tickets.
So I assume that on the RHEL7 system you logged in via SSSD once so that the ccache KEYRING:persistent:60483 is stored in the cache for the user while on RHEL8 this is not the case. You can check this with the ldbsearch utility for the ldb-tools package:
ldbsearch -H /var/lib/sss/db/cache_YOUR.DOMAIN.NAME.ldb | less
HTH
bye, Sumit
Thanks.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Fri, May 31, 2019 at 01:01:27PM +0000, Winberg Adam wrote:
Ok, doing that on RHEL7 yielded the following log message:
[check_ccache_files] (0x0200): Failed to check ccache file [KEYRING:persistent:60483]
On RHEL8 I get a bit more:
/var/log/sssd/krb5_child.log [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:60483] old_ccname: [KEYRING:persistent:60483] keytab: [/etc/krb5.keytab] [k5c_check_old_ccache] (0x4000): Ccache_file is [KEYRING:persistent:60483] and is active and TGT is valid. [sss_get_ccache_name_for_principal] (0x4000): Location: [KEYRING:persistent:60483] [sss_get_ccache_name_for_principal] (0x4000): tmp_ccname: [KEYRING:persistent:60483:krb_ccache_0AxONF2] [create_ccache] (0x4000): Initializing ccache of type [KEYRING]
/var/log/sssd/sssd_ad.example.com.log [krb5_mod_ccname] (0x4000): Save ccname [KEYRING:persistent:60483] for user [a001329@ad.example.com]. [krb5_auth_done] (0x1000): Adding [KEYRING:persistent:60483] for automatic renewal. [add_tgt_to_renew_table] (0x1000): Added [KEYRING:persistent:60483] for renewal at [Fri May 31 12:57:09 2019]. [check_ccache_files] (0x0200): Failed to check ccache file [KEYRING:persistent:60483].
Looks like it's initializing my cache for renewal. But shouldnt that happen on login then?
Yes, but as said, as long as the 'ccacheFile' attribute is present SSSD will add it at startup as well. It is hard to understand what is going on with just the short log snippets, e.g. if the krb5_child messages are from a login or renewal attempt and why check_ccache_files wrote an error message. Feel free to send me the full logs directly.
bye, Sumit
Adam Winberg ITpc
SMHI Telefon 011-4958058 Fax 011-4958350 Epost Adam.Winberg@smhi.se 601 76 Norrköping Besöksadress Folkborgsvägen 1 www.smhi.se
From: Sumit Bose [sbose@redhat.com] Sent: 31 May 2019 14:29 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi
On Fri, May 31, 2019 at 12:05:46PM +0000, Winberg Adam wrote:
Yes, klist on RHEL8 after login shows
Ticket cache: KEYRING:persistent:60483:krb_ccache_0AxONF2
Same as on RHEL7.
Restarting SSSD does nothing to my ticket on neither RHEL7 or RHEL8, but I guess my ticket lifetime has to have exceeded half the lifetime or something like that for renewal to take place? My ticket is pretty new...
Yes.
As an alternative you can add 'debug_level=9' to the [domain/...] section of sssd.conf, restart SSSD and look for "Adding [KEYRING:persistent:60483] for automatic renewal" messages in the domain log.
bye, Sumit
//Adam
From: Sumit Bose [sbose@redhat.com] Sent: 31 May 2019 13:52 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi
On Fri, May 31, 2019 at 11:26:46AM +0000, Winberg Adam wrote:
Aha, interesting. Thank you for a very thorough answer.
So, on my RHEL8 box the ldbsearch command shows the following attribute for my user:
ccacheFile: KEYRING:persistent:60483
which is exactly the same as on my RHEL7 box.
Hi,
just to be on the safe side, 'KEYRING:persistent:60483' is also used by sshd on RHEL8, so after logging in with ssh/GSSAPI 'klist' shows the forwarded ticket in this ccache?
Have you tried to restart SSSD on RHEL8 as long as there is a valid and renewable ticket in KEYRING:persistent:60483?
bye, Sumit
//Adam
From: Sumit Bose [sbose@redhat.com] Sent: 31 May 2019 13:07 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: sssd renew TGT with ssh gssapi
On Fri, May 31, 2019 at 05:38:23AM +0000, Winberg Adam wrote:
Ok, so this is an old subject. I know that SSSD can only renew kerberos tickets which it itself has generated which is part of the reason for KCM. But trying out RHEL8, with KCM disabled (because of some weird behaviour reported in a bugzilla ticket), I am affected by this much more than on RHEL7. On RHEL7, sssd manages to renew my kerberos ticket even if I login to the server with sshd GSSAPI and forwarded credentials ('GSSAPIDelegateCredentials yes'). I am not sure why this works on RHEL7 when it according to documentation should not.
On RHEL7, the krb5_child.log clearly shows that SSSD renews my ticket:
(Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): krb5_child started. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x1000): total buffer size: [163] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x0100): cmd [248] uid [60483] gid [102] validate [true] enterprise principal [false] offline [false] UPN [a001329@AD.EXAMPLE.COM] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [unpack_buffer] (0x0100): ccname: [KEYRING:persistent:60483] old_ccname: [KEYRING:persistent:60483] keytab: [/etc/krb5.keytab] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [check_use_fast] (0x0100): Not using FAST. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200): Switch user to [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [switch_creds] (0x0200): Switch user to [0][0]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [become_user] (0x0200): Trying to become user [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x2000): Running as [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_setup] (0x2000): Running as [60483][102]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] (0x0100): Renewable lifetime is set to [7d] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_lifetime_options] (0x0100): No specific lifetime requested. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [set_canonicalize_option] (0x0100): Canonicalization is set to [true] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): Will perform ticket renewal (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [renew_tgt_child] (0x1000): Renewing a ticket (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x2000): Found keytab entry with the realm of the credential. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [validate_tgt] (0x0400): TGT verified using key for [LXSERV940$@AD.EXAMPLE.COM]. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [sss_send_pac] (0x0400): PAC responder contacted. It might take a bit of time in case the cache is not up to date. (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [k5c_send_data] (0x0200): Received error code 0 (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [pack_response_packet] (0x2000): response packet size: [115] (Fri May 31 00:08:45 2019) [[sssd[krb5_child[62512]]]] [main] (0x0400): krb5_child completed successfully
And as I said, this ticket is forwarded via SSH (logging in to the server via ssh with sssd debugging on yields no log at all from krb5_child, so SSSD is not involved in getting the ticket).
So, how does this work on RHEL7 and why does it not work on RHEL8?
Hi,
if SSSD is used for authentication it saves the name of the credential cache to the 'ccacheFile' attribute in the cache. This is mainly doen to keep track the FILE based ccaches with a random component in the name.
The ccache is added to a renewal list either when SSSD handles or login. Or at startup where SSSD checks all ccaches found in the 'ccacheFile' attributes in the cache for still valid and renewable tickets.
So I assume that on the RHEL7 system you logged in via SSSD once so that the ccache KEYRING:persistent:60483 is stored in the cache for the user while on RHEL8 this is not the case. You can check this with the ldbsearch utility for the ldb-tools package:
ldbsearch -H /var/lib/sss/db/cache_YOUR.DOMAIN.NAME.ldb | less
HTH
bye, Sumit
Thanks.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org