Bug 1627112

Summary: RFE: Kerberos ticket renewal for sssd-kcm
Product: Red Hat Enterprise Linux 8 Reporter: Striker Leggette <striker>
Component: sssdAssignee: jstephen
Status: CLOSED ERRATA QA Contact: Anuj Borah <aborah>
Severity: low Docs Contact: David Voženílek <dvozenil>
Priority: high    
Version: 8.3CC: abokovoy, aborah, adam.winberg, a.korsunsky, amessina, asn, atikhono, bugreports2005, extras-qa, fdvorak, fhanzelk, grajaiya, jhrozek, jstephen, lslebodn, mkosek, orion, pbrezina, puiterwijk, rakkumar, sbose, sgallagh, sgoveas, ssorce, thalman, tscherf
Target Milestone: pre-dev-freezeKeywords: FutureFeature, Reopened, Triaged
Target Release: ---Flags: sgoveas: mirror+
Hardware: All   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.5.1-2.el8 Doc Type: Enhancement
Doc Text:
.SSSD KCM now supports the auto-renewal of ticket granting tickets With this enhancement, you can now configure the System Security Services Daemon (SSSD) Kerberos Cache Manager (KCM) service to auto-renew ticket granting tickets (TGTs) stored in the KCM credential cache on an Identity Management (IdM) server. Renewals are only attempted when half of the ticket lifetime has been reached. To use auto-renewal, the key distribution center (KDC) on the IdM server must be configured to support renewable Kerberos tickets. You can enable TGT auto-renewal by modifying the [kcm] section of the `/etc/sssd/sssd.conf` file. For example, you can configure SSSD to check for renewable KCM-stored TGTs every 60 minutes and attempt auto-renewal if half of the ticket lifetime has been reached by adding the following options to the file: ---- [kcm] tgt_renewal = true krb5_renew_interval = 60m ---- Alternatively, you can configure SSSD to inherit `krb5` options for renewals from an existing domain: ---- [kcm] tgt_renewal = true tgt_renewal_inherit = domain-name ---- For more information, see the `Renewals` section of the `sssd-kcm` man page.
 Story Points: ---
Clone Of: 1496869 Environment:
Last Closed: 2021-11-09 19:46:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1496869, 1682305, 1964619    
Bug Blocks: 1679810, 1755139    
Attachments:
Description Flags
Logs and configs attched none

Description Striker Leggette 2018-09-10 13:19:58 UTC 
+++ This bug was initially created as a clone of Bug #1496869 +++

Description of problem:
After having switched to sssd-kcm and KCM: ccaches, sssd-kcm does not automatically refresh tickets.

Version-Release number of selected component (if applicable):
sssd-1.15.3-3.fc26.x86_64
sssd-kcm-1.15.3-3.fc26.x86_64

How reproducible:
Consistent

Steps to Reproduce:
1. In krb5.conf, set ticket_lifetime=5m and renew_lifetime=7d
2. Get a ticket
3. After 5 minutes, do a klist or use the ticket

Actual results:
The ticket has expired and using it returns errors.

Expected results:
The ticket got auto-renewed and using the ticket results in correct authenticators being produced.

Additional info:

--- Additional comment from Jakub Hrozek on 2017-09-28 14:09:55 EDT ---

Sorry, but this is not implemented yet. I hope to get the renewals implemented quite soon, not before F-27 GA, but before F-27. However, currently it doesn't work this way.

I guess the design page made it sound like the functionality is already there?

In general yes, this is of the reasons we went along with KCM by default..because currently either you log with SSSD and then it takes care of the renewals or you kinit and then you must call kinit -R to renew the ticket -- but since SSSD can only renew tickets it knows about, it wouldn't renew tickets acquired through kinit. If KCM renewed all the tickets, this problem would go away.

--- Additional comment from Patrick Uiterwijk on 2017-09-28 15:50:17 EDT ---

Ah, okay. I was following the https://fedoraproject.org/wiki/Changes/KerberosKCMCache#How_To_Test instructions: "If the Kerberos ticket that was acquired is renewable, SSSD would renew the ticket automatically.".

Maybe it would be good to update the testing instructions then.

--- Additional comment from Jakub Hrozek on 2017-10-05 11:06:54 EDT ---

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/1723

--- Additional comment from Fabiano Fidêncio on 2018-04-11 11:31:56 EDT ---

As this issue is an RFE already being tracked on our pagure, I'd like to close it here.

Please, if, for some reason, you need this bug tracked on rhbz, feel free to re-open it.
Comment 3 Jakub Hrozek 2018-09-11 07:46:04 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/1723
Comment 6 Tomas Halman 2020-08-25 08:37:17 UTC 
Upstream ticket after migration to github:
https://github.com/SSSD/sssd/issues/2765
Comment 9 Pavel Březina 2021-05-10 12:55:01 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/5450

* `master`
    * ec932d35172819ac68343355faaad4dc6ffae688 - KCM: Disable responder idle timeout with renewals
    * ddcedbf3bc6b267d40d8a7edcb65f8d61ec13dd1 - KCM: Conditionally build KCM renewals support
    * 0202eb53ab18b5eeac53fc96bf5e0569276e3767 - INTG: Add KCM Renewal integration test
    * a55405b3edd6312a5e39567e4bdde5522ffc6a0a - TESTS: Add kcm_renewals unit test
    * 1dc3c33c8d2f4ca4a41b186746c44f74510c2f38 - SECRETS: Don't hardcode SECRETS_DB_PATH
    * 599f0ad056dc8fc052395d5abe0e110e4e68a886 - KCM: Prepare and execute renewals
    * 993b66d48d555c59e619d7ef3b494248a82587ac - KCM: Read and set KCM renewal and krb5 options
Comment 10 Pavel Březina 2021-05-10 13:07:11 UTC 
* `master`
  * e30129410023ec71790625e6f799b8c7d69b5f6b - man: add krb5_options to po4a.cfg
Comment 13 Alexey Tikhonov 2021-05-19 15:09:31 UTC 
Additional patch posted for review upstream: https://github.com/SSSD/sssd/pull/5643
Comment 14 Anuj Borah 2021-05-19 15:46:33 UTC 
Created attachment 1784863 [details]
Logs and configs attched
Comment 16 Alexey Tikhonov 2021-05-20 10:41:31 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/5643

* `master`
    * dbde4e692e34d3ff8233ac17a5eae5a062637e48 - SECRETS: Resolve mkey path correctly
Comment 20 Alexey Tikhonov 2021-06-09 17:54:05 UTC 
Additional PR: https://github.com/SSSD/sssd/pull/5675
Comment 22 Alexey Tikhonov 2021-06-15 11:48:38 UTC 
Also see https://github.com/SSSD/sssd/pull/5685
Comment 24 Alexey Tikhonov 2021-06-18 12:11:59 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/5675

* `master`
    * 9e47bb98ce8904300e8e8ec38a5c988c3d280969 - KCM: Unset _SSS_LOOPS


Pushed PR: https://github.com/SSSD/sssd/pull/5688

* `master`
    * a6e5d53a358f3871d8ae646b252250d215d09883 - kcm: terminate client on bad message
Comment 42 bugreports2005 2021-08-12 07:52:36 UTC 
I do hope this gets addressed in RHEL8 since it makes sssd-kcm rather useless.
It doesn't help at all that cifs-utils no longer looks for FILE:/tmp/krb5cc_$uid_XXXXXXXXXX - the default cache in absence of sssd-kcm - when authenticating my samba mounts from autofs.
Only FILE:/tmp/krb5cc_$uid works anymore.
Comment 43 Alexey Tikhonov 2021-08-18 18:25:31 UTC 
(In reply to bugreports2005 from comment #42)
> I do hope this gets addressed in RHEL8 since it makes sssd-kcm rather
> useless.
> It doesn't help at all that cifs-utils no longer looks for
> FILE:/tmp/krb5cc_$uid_XXXXXXXXXX - the default cache in absence of sssd-kcm
> - when authenticating my samba mounts from autofs.
> Only FILE:/tmp/krb5cc_$uid works anymore.

Not sure I understand this message correctly, but JFYI this RFE is preliminary planned for a release in RHEL 8.5 and 9.0-beta.
Comment 46 errata-xmlrpc 2021-11-09 19:46:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4435