#1526 SSSD does not auto renew kerberos credentials when auth_provider is 'ipa'
Closed: Fixed None Opened 7 years ago by dpal.

https://bugzilla.redhat.com/show_bug.cgi?id=857108 (Red Hat Enterprise Linux 6)

Description of problem: SSSD does not auto renew kerberos credentials if
auth_provider is set to 'ipa', it works if I set auth_provier=krb5.

Version-Release number of selected component :sssd-1.8.0-32

How reproducible: Always

Steps to Reproduce:
1. Configure ipa client using ipa-client-install
2. Add options to auto renew the tickets
3. login as ipa user and check whether credentials get auto renewed or not.

Actual results: ipa user credentials are not renewed automatically.


Expected results: ipa user credentials get renewed automatically


Additional info:

* I verified the authentication is done by pam_sssd & the TGT is renewable
(user can do a kinit -R and renew it manually).

Configuration used :

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = gsslab.pnq.redhat.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_server = _srv_, vm213.gsslab.pnq.redhat.com
ldap_tls_cacert = /etc/ipa/ca.crt
debug_level = 10
krb5_lifetime = 120s
krb5_renewable_lifetime = 150m
krb5_renew_interval = 10s

-----------

sssd logs:

[sssd[be[gsslab.pnq.redhat.com]]] [krb5_child_done] (0x1000): Adding
[FILE:/tmp/krb5cc_1195600006_1ZpsNs] for automatic renewal.
[sssd[be[gsslab.pnq.redhat.com]]] [add_tgt_to_renew_table] (0x1000): Renew
context not initialized, automatic renewal not available.

----------

It works if I set 'auth_provider = krb5' and other details (krb5 realm and
server address).

This was fixed in 3441d0c upstream.

blockedby: =>
blocking: =>
coverity: =>
feature_milestone: =>
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0
resolution: => fixed
status: new => closed

Metadata Update from @dpal:
- Issue set to the milestone: SSSD 1.9.0

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2568

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata