Hi,
I am using sssd to renew my kerberos keys every 2 minutes (I know this is short, but it's for testing to see if it actually works). I aslo set the lifetime of my kerberos tickets to 10 minutes. I verified that sssd is infact renewing the keys on the interval i specified, because when i "klist" i see the valid starting time change, however when i try to access the share it no longer works.
Here is some output:
tbeaudry@perf-hpc01:~$ date Thu Sep 29 10:19:29 EDT 2016
tbeaudry@perf-hpc01:~$ klist Ticket cache: FILE:/usr/krb5/creds/.krb5cache_1624330994 Default principal: tbeaudry@CONCORDIA.CA
Valid starting Expires Service principal 2016-09-29 10:18:54 2016-09-29 10:28:54 krbtgt/CONCORDIA.CA@CONCORDIA.CA renew until 2016-10-06 10:12:54
tbeaudry@perf-hpc01:~$ cd ~ -bash: cd: /NAS/home/tbeaudry: Key has expired
From my krb5.conf
[libdefaults] default_realm = CONCORDIA.CA dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 10m renew_lifetime = 7d
From my sssd.conf
[domain/concordia.ca] ad_domain = concordia.ca krb5_realm = CONCORDIA.CA realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True #use_fully_qualified_names = True override_homedir = /NAS/home/%u fallback_homedir = /home/%u access_provider = ad debug_level=7 ignore_group_members=True krb5_renewable_lifetime = 7d krb5_renew_interval = 2m
Thanks! Thomas
On Thu, Sep 29, 2016 at 02:38:55PM +0000, Thomas Beaudry wrote:
Hi,
I am using sssd to renew my kerberos keys every 2 minutes (I know this is short, but it's for testing to see if it actually works). I aslo set the lifetime of my kerberos tickets to 10 minutes. I verified that sssd is infact renewing the keys on the interval i specified, because when i "klist" i see the valid starting time change, however when i try to access the share it no longer works.
What kind of share is it? It looks like the file-system does not pick the new key but continues to use the one used at mounting time.
bye, Sumit
Here is some output:
tbeaudry@perf-hpc01:~$ date Thu Sep 29 10:19:29 EDT 2016
tbeaudry@perf-hpc01:~$ klist Ticket cache: FILE:/usr/krb5/creds/.krb5cache_1624330994 Default principal: tbeaudry@CONCORDIA.CA
Valid starting Expires Service principal 2016-09-29 10:18:54 2016-09-29 10:28:54 krbtgt/CONCORDIA.CA@CONCORDIA.CA renew until 2016-10-06 10:12:54
tbeaudry@perf-hpc01:~$ cd ~ -bash: cd: /NAS/home/tbeaudry: Key has expired
From my krb5.conf
[libdefaults] default_realm = CONCORDIA.CA dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 10m renew_lifetime = 7d
From my sssd.conf
[domain/concordia.ca] ad_domain = concordia.ca krb5_realm = CONCORDIA.CA realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True #use_fully_qualified_names = True override_homedir = /NAS/home/%u fallback_homedir = /home/%u access_provider = ad debug_level=7 ignore_group_members=True krb5_renewable_lifetime = 7d krb5_renew_interval = 2m
Thanks! Thomas
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Hi,
It's a NFS 4.1 share mounted with autofs. Yes it's must be using the old key even though It's not in /tmp and it expires at the original key's expiration time- so i'm not quiet sure how to debug it.
Thanks, Thomas ________________________________________ From: Sumit Bose sbose@redhat.com Sent: Thursday, September 29, 2016 10:51 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: kerberos Key has expired
On Thu, Sep 29, 2016 at 02:38:55PM +0000, Thomas Beaudry wrote:
Hi,
I am using sssd to renew my kerberos keys every 2 minutes (I know this is short, but it's for testing to see if it actually works). I aslo set the lifetime of my kerberos tickets to 10 minutes. I verified that sssd is infact renewing the keys on the interval i specified, because when i "klist" i see the valid starting time change, however when i try to access the share it no longer works.
What kind of share is it? It looks like the file-system does not pick the new key but continues to use the one used at mounting time.
bye, Sumit
Here is some output:
tbeaudry@perf-hpc01:~$ date Thu Sep 29 10:19:29 EDT 2016
tbeaudry@perf-hpc01:~$ klist Ticket cache: FILE:/usr/krb5/creds/.krb5cache_1624330994 Default principal: tbeaudry@CONCORDIA.CA
Valid starting Expires Service principal 2016-09-29 10:18:54 2016-09-29 10:28:54 krbtgt/CONCORDIA.CA@CONCORDIA.CA renew until 2016-10-06 10:12:54
tbeaudry@perf-hpc01:~$ cd ~ -bash: cd: /NAS/home/tbeaudry: Key has expired
From my krb5.conf
[libdefaults] default_realm = CONCORDIA.CA dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 10m renew_lifetime = 7d
From my sssd.conf
[domain/concordia.ca] ad_domain = concordia.ca krb5_realm = CONCORDIA.CA realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True #use_fully_qualified_names = True override_homedir = /NAS/home/%u fallback_homedir = /home/%u access_provider = ad debug_level=7 ignore_group_members=True krb5_renewable_lifetime = 7d krb5_renew_interval = 2m
Thanks! Thomas
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
On Thu, Sep 29, 2016 at 03:03:04PM +0000, Thomas Beaudry wrote:
Hi,
It's a NFS 4.1 share mounted with autofs. Yes it's must be using the old key even though It's not in /tmp and it expires at the original key's expiration time- so i'm not quiet sure how to debug it.
Maybe http://wiki.linux-nfs.org/wiki/index.php/General_troubleshooting_recommendat... might help?
I guess you would be able to run into the same issue if you call
kinit -R -l 10m
repeatedly. In this case I think it is not an SSSD issue.
bye, Sumit
Thanks, Thomas ________________________________________ From: Sumit Bose sbose@redhat.com Sent: Thursday, September 29, 2016 10:51 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: kerberos Key has expired
On Thu, Sep 29, 2016 at 02:38:55PM +0000, Thomas Beaudry wrote:
Hi,
I am using sssd to renew my kerberos keys every 2 minutes (I know this is short, but it's for testing to see if it actually works). I aslo set the lifetime of my kerberos tickets to 10 minutes. I verified that sssd is infact renewing the keys on the interval i specified, because when i "klist" i see the valid starting time change, however when i try to access the share it no longer works.
What kind of share is it? It looks like the file-system does not pick the new key but continues to use the one used at mounting time.
bye, Sumit
Here is some output:
tbeaudry@perf-hpc01:~$ date Thu Sep 29 10:19:29 EDT 2016
tbeaudry@perf-hpc01:~$ klist Ticket cache: FILE:/usr/krb5/creds/.krb5cache_1624330994 Default principal: tbeaudry@CONCORDIA.CA
Valid starting Expires Service principal 2016-09-29 10:18:54 2016-09-29 10:28:54 krbtgt/CONCORDIA.CA@CONCORDIA.CA renew until 2016-10-06 10:12:54
tbeaudry@perf-hpc01:~$ cd ~ -bash: cd: /NAS/home/tbeaudry: Key has expired
From my krb5.conf
[libdefaults] default_realm = CONCORDIA.CA dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 10m renew_lifetime = 7d
From my sssd.conf
[domain/concordia.ca] ad_domain = concordia.ca krb5_realm = CONCORDIA.CA realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True #use_fully_qualified_names = True override_homedir = /NAS/home/%u fallback_homedir = /home/%u access_provider = ad debug_level=7 ignore_group_members=True krb5_renewable_lifetime = 7d krb5_renew_interval = 2m
Thanks! Thomas
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Hi Sumit,
Yes you are right kinit -R -l 10m doesn't work either - so the problem lies elsewhere. At least I know where not to look first.
Have a nice day, Thomas ________________________________________ From: Sumit Bose sbose@redhat.com Sent: Thursday, September 29, 2016 11:26 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: kerberos Key has expired
On Thu, Sep 29, 2016 at 03:03:04PM +0000, Thomas Beaudry wrote:
Hi,
It's a NFS 4.1 share mounted with autofs. Yes it's must be using the old key even though It's not in /tmp and it expires at the original key's expiration time- so i'm not quiet sure how to debug it.
Maybe http://wiki.linux-nfs.org/wiki/index.php/General_troubleshooting_recommendat... might help?
I guess you would be able to run into the same issue if you call
kinit -R -l 10m
repeatedly. In this case I think it is not an SSSD issue.
bye, Sumit
Thanks, Thomas ________________________________________ From: Sumit Bose sbose@redhat.com Sent: Thursday, September 29, 2016 10:51 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: kerberos Key has expired
On Thu, Sep 29, 2016 at 02:38:55PM +0000, Thomas Beaudry wrote:
Hi,
I am using sssd to renew my kerberos keys every 2 minutes (I know this is short, but it's for testing to see if it actually works). I aslo set the lifetime of my kerberos tickets to 10 minutes. I verified that sssd is infact renewing the keys on the interval i specified, because when i "klist" i see the valid starting time change, however when i try to access the share it no longer works.
What kind of share is it? It looks like the file-system does not pick the new key but continues to use the one used at mounting time.
bye, Sumit
Here is some output:
tbeaudry@perf-hpc01:~$ date Thu Sep 29 10:19:29 EDT 2016
tbeaudry@perf-hpc01:~$ klist Ticket cache: FILE:/usr/krb5/creds/.krb5cache_1624330994 Default principal: tbeaudry@CONCORDIA.CA
Valid starting Expires Service principal 2016-09-29 10:18:54 2016-09-29 10:28:54 krbtgt/CONCORDIA.CA@CONCORDIA.CA renew until 2016-10-06 10:12:54
tbeaudry@perf-hpc01:~$ cd ~ -bash: cd: /NAS/home/tbeaudry: Key has expired
From my krb5.conf
[libdefaults] default_realm = CONCORDIA.CA dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 10m renew_lifetime = 7d
From my sssd.conf
[domain/concordia.ca] ad_domain = concordia.ca krb5_realm = CONCORDIA.CA realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True #use_fully_qualified_names = True override_homedir = /NAS/home/%u fallback_homedir = /home/%u access_provider = ad debug_level=7 ignore_group_members=True krb5_renewable_lifetime = 7d krb5_renew_interval = 2m
Thanks! Thomas
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Hello,
I'm using sssd-ldap (1.12) with
ldap_uri =
pointing to a DNS name with 2 A records (simple DNS round robin).
My question is about what happens when the ldap server sssd has a active connection to is shutdown ? It seems that, if the entry is not in the cache, sssd simply returns no entry which could lead to strange behavior (username stop to get resolved, ...) at the application level.
My understanding is that my setup is not compatible with the failover feature. But it seems to me that the failover is about the _initial_ server lookup (i.e. to find an answering server) anyway, isn't it ?
What is the best way to deal with an active backend connection which get closed without returning an "false" empty entry ?
Thanks
-- T. H.
On Thu, Sep 29, 2016 at 06:50:50PM +0200, Thomas Hummel wrote:
Hello,
I'm using sssd-ldap (1.12) with
ldap_uri =
pointing to a DNS name with 2 A records (simple DNS round robin).
Correct, we only use the first record.
My question is about what happens when the ldap server sssd has a active connection to is shutdown ? It seems that, if the entry is not in the cache, sssd simply returns no entry which could lead to strange behavior (username stop to get resolved, ...) at the application level.
My understanding is that my setup is not compatible with the failover feature. But it seems to me that the failover is about the _initial_ server lookup (i.e. to find an answering server) anyway, isn't it ?
What is the best way to deal with an active backend connection which get closed without returning an "false" empty entry ?
The recommended way is to use SRV records.
Jakub Hrozek wrote:
On Thu, Sep 29, 2016 at 06:50:50PM +0200, Thomas Hummel wrote:
I'm using sssd-ldap (1.12) with
ldap_uri =
pointing to a DNS name with 2 A records (simple DNS round robin).
Correct, we only use the first record.
Which seems to work for me with DNS servers implementing the round robin (short TTL and always rotated list of A RRs in the result).
Ciao, Michael.
sssd-users@lists.fedorahosted.org