[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] Kerberos kew renewal not working



adding sssd-devel

On Thu, Aug 11, 2011 at 10:14:09AM +0200, Tim Niemueller wrote:
> Hi all.
> 
> We have setup FreeIPA on a F-15 virtual machine. I'm currently
> testing with a F-14 client. We would like to keep F-14, as F-15
> seems not generally stable enough for wide deployment (graphics
> issues etc.). I have described the setup a bit at
> http://www.niemueller.de/blog/id/245, which was possible only
> through numerous IRC sessions on #freeipa. This issue here seems a
> little more long-standing, hence the mail this time.
> 
> I'm having a hard time getting the setup running reliably. Initial
> login and desktop use works fine. But a typical use case is leaving
> the desktop running overnight with just the screen locked (there
> might be stuff running in the background). Now, if I return the next
> day and try to use the machine the machine is frozen and cannot be
> used. Tickets have not been renewed, in particular the one for the
> NFSv4 server protected by Kerbero (sec=krb5). It just expired after
> 24h.
> 
> The problem can be recreated quickly with a shorter 5 minute
> lifetime with the following modifications (on the client).
> 
> This assumes that you have /home mounted via Kerberos-protected NFSv4 share!
> 
> In /etc/sssd/sssd.conf:
> [domain/somedomain]
> krb5_renewable_lifetime = 14d
> krb5_renew_interval = 60
> krb5_lifetime = 5m
> 
> [domain/default]
> krb5_renewable_lifetime = 14d
> krb5_renew_interval = 60
> krb5_lifetime = 5m
> 
> Then reboot (just restarting sssd does not always show the problem,
> especially if you had been logged in before).
> Then login and wait five minutes, the machine freezes, as the NFS
> key has expired. If you do a klist just before the timeout expires,
> you see that the keys have not been renewed as expected (but the
> renewable end time is still way in the future, even if the FreeIPA
> server default of 7d was not increased). Maybe I need to set some
> magic flag for rpc.gssd, but I couldn't find it.

Which version of sssd are you using? Does it work is you manually call
'kinit -R' before the ticket expires? Can you send a sanitized version
of the sssd log files with debug_level=9?

bye,
Sumit

> 
> Is there something I can do on my side to get this working? Or is it
> a FreeIPA or sssd shortcoming, or even "intended not to work by
> design"?
> 
> Ideally, I want to make it possible for users to just keep logged in
> all the time, so even acquiring new tickets automatically by
> requesting an intermediate user authentication or just doing it from
> the screensaver would be great, but I guess with /home mounted I'm
> pretty much out of luck? Is there alternatively a way to only
> authenticate the host via krb5, but not the user? In the old days we
> would simply use IP addresses to allow access. Well, that's bad, but
> having just the host authenticate to prevent laptop road warriors
> from snooping around could be just enough for us and avoid user
> ticket renewal, any idea?
> 
> Thanks for your input.
> 	Tim
> 
> -- 
> KBSG - Knowledge-Based Systems Group            AllemaniACs RoboCup Team
> ========================================================================
> http://robocup.rwth-aachen.de                     RWTH Aachen University
> http://kbsg.rwth-aachen.de                               Ahornstrasse 55
> http://www.fawkesrobotics.org                             D-52056 Aachen
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users redhat com
> https://www.redhat.com/mailman/listinfo/freeipa-users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]