freeipa

Clone
Source Code
GIT

#2689 ipa-client-install sets "KerberosAuthenticate yes" in sshd.conf, breaking SSSD auth
Closed: Fixed None Opened 11 years ago by rcritten.

Closed: Fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=817030 (Red Hat Enterprise Linux 6)

Description of problem:

I'm unable to get a renewable ticket with new sssd (RHEL6.3 beta), Using
REHL6.3 beta IPA server and Client, with the same configuration I get renewable
ticket in RHEL6.2 Client.

ipa-client-install configured sssd.conf, I just added the following lines to
it.

krb5_renewable_lifetime = 5d
krb5_renew_interval = 500

Version-Release number of selected component (if applicable):
sssd-1.8.0-23.el6.x86_64
ipa-client-2.2.0-11.el6.x86_64
krb5-workstation-1.9-32.el6.x86_64
krb5-libs-1.9-32.el6.x86_64


How reproducible:

Always

Steps to Reproduce:
1. run ipa-client-install
2. Add krb5_renewable_lifetime & krb5_renew_interval to sssd.conf
3. login as one of the ipa user

Actual results:

IPA user gets a ticket which cannot be renewed.  klist does not show "renew
until" date/time.

luser1@10.65.200.189's password:
Last login: Fri Apr 27 11:57:28 2012 from 10.65.222.102
[luser1@dhcp8-189 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_143000001_eOneJl1918
Default principal: luser1@PNQ.REDHAT.COM

Valid starting     Expires            Service principal
04/27/12 12:05:49  04/28/12 12:05:49  krbtgt/PNQ.REDHAT.COM@PNQ.REDHAT.COM
[luser1@dhcp8-189 ~]$

[luser1@dhcp8-189 ~]$ kinit -R
kinit: KDC can't fulfill requested option while renewing credentials

Expected results:

IPA user gets a ticket which can be renewed up to 5 days.

luser1@10.65.200.189's password:
Last login: Fri Apr 27 11:57:28 2012 from 10.65.222.102
[luser1@dhcp8-189 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_143000001_eOneJl1918
Default principal: luser1@PNQ.REDHAT.COM

Valid starting     Expires            Service principal
04/27/12 12:05:49  04/28/12 12:05:49  krbtgt/PNQ.REDHAT.COM@PNQ.REDHAT.COM
     renew until <5 days from the above date>

Additional info: This works correctly on a RHEL6.2 machine.

$ ssh vm123.gsslab.pnq.redhat.com -l luser1
luser1@vm123.gsslab.pnq.redhat.com's password:
Last login: Fri Apr 27 12:17:41 2012 from 10.65.222.102
[luser1@vm123 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_143000001_2esNV6
Default principal: luser1@PNQ.REDHAT.COM

Valid starting     Expires            Service principal
04/27/12 12:19:07  04/28/12 12:19:00  krbtgt/PNQ.REDHAT.COM@PNQ.REDHAT.COM
        renew until 05/02/12 12:19:00

[luser1@vm123 ~]$ kinit -R
[luser1@vm123 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_143000001_2esNV6
Default principal: luser1@PNQ.REDHAT.COM

Valid starting     Expires            Service principal
04/27/12 12:34:03  04/28/12 12:33:56  krbtgt/PNQ.REDHAT.COM@PNQ.REDHAT.COM
        renew until 05/02/12 12:19:00

packages used :

sssd-1.5.1-66.el6_2.3.x86_64
krb5-workstation-1.9-22.el6_2.1.x86_64
ipa-client-2.1.3-9.el6.x86_64

Also the ticket renewal works correctly if I use "kinit -r 5d" and "kinit -R"
commands. (from the affected rhel6.3 beta machine)

Just for the record, this setting was requested in #1634.

master: 6569f35

ipa-2-2: 6321c5b

Metadata Update from @rcritten:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/04
6 years ago

Login to comment on this ticket.

Metadata
None
None
None
critical
None
None
None
None
defect
None
None
IPA
None
0
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=817030
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.