Learn more about these different git repos.
Other Git URLs
Hello,
I've noticed that sssd renews/requests a TGT for the host principal every minute or so. I see it in the kdc log. The issue I have with this is that with a large number of hosts this creates extra load on the kdc.
I'm curious about the rationale for this behavior and how I can make these renewals less frequent.
Here are a few lines from the log in my test environment:
... Mar 25 03:46:47 ipa-master.sgerasenko.net krb5kdc[30550](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 172.240.0.2: ISSUE: authtime 1521949607, etypes {rep=18 tkt=18 ses=18}, host/ipa-master.sgerasenko.net@SGERASENKO.NET for krbtgt/SGERASENKO.NET@SGERASENKO.NET Mar 25 03:46:47 ipa-master.sgerasenko.net krb5kdc[30550](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 172.240.0.2: NEEDED_PREAUTH: host/ipa-master.sgerasenko.net@SGERASENKO.NET for krbtgt/SGERASENKO.NET@SGERASENKO.NET, Additional pre-authentication required Mar 25 03:46:47 ipa-master.sgerasenko.net krb5kdc[30550](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 172.240.0.2: ISSUE: authtime 1521949607, etypes {rep=18 tkt=18 ses=18}, host/ipa-master.sgerasenko.net@SGERASENKO.NET for krbtgt/SGERASENKO.NET@SGERASENKO.NET Mar 25 03:47:19 ipa-master.sgerasenko.net krb5kdc[30550](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 172.240.0.2: NEEDED_PREAUTH: host/ipa-master.sgerasenko.net@SGERASENKO.NET for krbtgt/SGERASENKO.NET@SGERASENKO.NET, Additional pre-authentication required Mar 25 03:47:19 ipa-master.sgerasenko.net krb5kdc[30550](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 172.240.0.2: ISSUE: authtime 1521949639, etypes {rep=18 tkt=18 ses=18}, host/ipa-master.sgerasenko.net@SGERASENKO.NET for krbtgt/SGERASENKO.NET@SGERASENKO.NET Mar 25 03:48:24 ipa-master.sgerasenko.net krb5kdc[30550](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 172.240.0.2: NEEDED_PREAUTH: host/ipa-master.sgerasenko.net@SGERASENKO.NET for krbtgt/SGERASENKO.NET@SGERASENKO.NET, Additional pre-authentication required Mar 25 03:48:24 ipa-master.sgerasenko.net krb5kdc[30550](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 172.240.0.2: ISSUE: authtime 1521949704, etypes {rep=18 tkt=18 ses=18}, host/ipa-master.sgerasenko.net@SGERASENKO.NET for krbtgt/SGERASENKO.NET@SGERASENKO.NET Mar 25 03:48:24 ipa-master.sgerasenko.net krb5kdc[30550](info): AS_REQ (8 etypes {18 17 16 23 25 26 20 19}) 172.240.0.2: NEEDED_PREAUTH: host/ipa-master.sgerasenko.net@SGERASENKO.NET for krbtgt/SGERASENKO.NET@SGERASENKO.NET, Additional pre-authentication required ...
Thank you! Sergei
This should not be the case except if SSSD is trying to connect that often. IIRC currently the connection always triggers a kinit with the assumption that (re)connections should be quite rare. Do you have the matching SSSD logs from the machine that is connecting so often?
It's possible that the behavior is due to my experiments with my VM environment. After I reinitialized the machines, the frequency decreased significantly.
But what prompted me to do the research in the first place was that in our production environment we made a mistake of directing all auth traffic to just one KDC while we were doing maintenance on the other. What started happening is that it seemed that the clients couldn't cache their tickets because the constantly re-issued requests for TGTs. The KDC logs were showing ISSUE and I saw no errors.
Can you think of why the clients kept reconnecting although the KDC was issuing the tickets? I now know that the KDC was overloaded, but I'm still trying to understand the SSSD behavior.
I don't know why the clients would do that except that the connection would expire and the clients would refresh it. That's why I asked for logs.
Ok, let's ignore this for now until I have logs to provide.
Please reopen the ticket when there are logs, thank you.
Metadata Update from @jhrozek: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4708
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.