Learn more about these different git repos.
Other Git URLs
https://bugzilla.redhat.com/show_bug.cgi?id=817030 (Red Hat Enterprise Linux 6)
Description of problem: I'm unable to get a renewable ticket with new sssd (RHEL6.3 beta), Using REHL6.3 beta IPA server and Client, with the same configuration I get renewable ticket in RHEL6.2 Client. ipa-client-install configured sssd.conf, I just added the following lines to it. krb5_renewable_lifetime = 5d krb5_renew_interval = 500 Version-Release number of selected component (if applicable): sssd-1.8.0-23.el6.x86_64 ipa-client-2.2.0-11.el6.x86_64 krb5-workstation-1.9-32.el6.x86_64 krb5-libs-1.9-32.el6.x86_64 How reproducible: Always Steps to Reproduce: 1. run ipa-client-install 2. Add krb5_renewable_lifetime & krb5_renew_interval to sssd.conf 3. login as one of the ipa user Actual results: IPA user gets a ticket which cannot be renewed. klist does not show "renew until" date/time. luser1@10.65.200.189's password: Last login: Fri Apr 27 11:57:28 2012 from 10.65.222.102 [luser1@dhcp8-189 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_143000001_eOneJl1918 Default principal: luser1@PNQ.REDHAT.COM Valid starting Expires Service principal 04/27/12 12:05:49 04/28/12 12:05:49 krbtgt/PNQ.REDHAT.COM@PNQ.REDHAT.COM [luser1@dhcp8-189 ~]$ [luser1@dhcp8-189 ~]$ kinit -R kinit: KDC can't fulfill requested option while renewing credentials Expected results: IPA user gets a ticket which can be renewed up to 5 days. luser1@10.65.200.189's password: Last login: Fri Apr 27 11:57:28 2012 from 10.65.222.102 [luser1@dhcp8-189 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_143000001_eOneJl1918 Default principal: luser1@PNQ.REDHAT.COM Valid starting Expires Service principal 04/27/12 12:05:49 04/28/12 12:05:49 krbtgt/PNQ.REDHAT.COM@PNQ.REDHAT.COM renew until <5 days from the above date> Additional info: This works correctly on a RHEL6.2 machine. $ ssh vm123.gsslab.pnq.redhat.com -l luser1 luser1@vm123.gsslab.pnq.redhat.com's password: Last login: Fri Apr 27 12:17:41 2012 from 10.65.222.102 [luser1@vm123 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_143000001_2esNV6 Default principal: luser1@PNQ.REDHAT.COM Valid starting Expires Service principal 04/27/12 12:19:07 04/28/12 12:19:00 krbtgt/PNQ.REDHAT.COM@PNQ.REDHAT.COM renew until 05/02/12 12:19:00 [luser1@vm123 ~]$ kinit -R [luser1@vm123 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_143000001_2esNV6 Default principal: luser1@PNQ.REDHAT.COM Valid starting Expires Service principal 04/27/12 12:34:03 04/28/12 12:33:56 krbtgt/PNQ.REDHAT.COM@PNQ.REDHAT.COM renew until 05/02/12 12:19:00 packages used : sssd-1.5.1-66.el6_2.3.x86_64 krb5-workstation-1.9-22.el6_2.1.x86_64 ipa-client-2.1.3-9.el6.x86_64 Also the ticket renewal works correctly if I use "kinit -r 5d" and "kinit -R" commands. (from the affected rhel6.3 beta machine)
Fields changed
blockedby: => blocking: => coverity: => feature_milestone: => keywords: => Regression owner: somebody => jhrozek tests: => 0 testsupdated: => 0 upgrade: => 0
There is no bug in SSSD. The issue was that sshd_config specified
KerberosAuthentication yes
which results in SSSD not being contacted when performing password authentication. As a result, SSSD's configuration was not being honored.
resolution: => worksforme status: new => closed
Metadata Update from @sgallagh: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.8.3 (LTM)
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2357
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.