Bug 701545

Summary: Over-weekend login Kerberos keys are not renewed
Product: [Fedora] Fedora Reporter: Tim Niemueller <tim>
Component: sssdAssignee: Stephen Gallagher <sgallagh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 15CC: dpal, jgalipea, jhrozek, sbose, sgallagh, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-23 14:47:47 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Tim Niemueller 2011-05-03 03:59:09 EDT
Description of problem:
A common thing in our lab is to leave turned on your workstation during the weekend, for example to use it later to login and work. This frequently leads to the problem that when coming after the weekend, and the workstation was not used, that the Kerberos CC has expired and has not been automatically renewed.

In that situation logins via SSH fail and the screensaver hangs; actually it looks as if the whole desktop freezes, that's probably due to the unavailability of the user's home dir mounted via NFSv4 protected by Kerberos. One way to recover was to login as root and do "su tim -c kinit". This creates a new credentials cache and the system almost immediately comes back to life.

I'm not sure what the proper component is here, I'm filing against ipa-client because I'm certain that people who know what to do get it. It might be that sssd should renew the keys, or possibly gnome-screensaver on an unlock attempt (which might be a problem because the user's home dir is not available in that situation)? The freeipa-server runs on a F-15 machine, the client which freezes is a F-14 machine. A CentOS 5.6 machine is involved as file-server.

In this state it would be hard to introduce FreeIPA/Kerberos as it would cause frequent issue reports because it is a common use case for us.

Version-Release number of selected component (if applicable):
- On the client:
freeipa-client-2.0.0.rc3-0.fc14.x86_64
nfs-utils-1.2.3-5.fc14.x86_64
sssd-1.5.5-1.fc14.x86_64
gnome-screensaver-2.30.2-2.fc14.x86_64
krb5-libs-1.8.2-10.fc14.x86_64

- On the FreeIPA server:
freeipa-server-2.0.0-1.fc15.x86_64

- On the file server:
nfs-utils-1.0.9-50.el5


How reproducible:
Always

Steps to Reproduce:
1. Login to a FreeIPA client machine
2. Leave it unattended until the Kerberos tickets expire (make sure that password locking to screensaver is enabled)
3. Try to unlock the screen
  
Actual results:
Machine is "frozen", e.g. no desktop interaction is possible.

Expected results:
After giving the correct password screen is unlocked and desktop accessible.

Additional info:
/var/log/messages contains entries like the following:
May  3 09:42:41 client rpc.gssd[1254]: CC file '/tmp/krb5cc_0' being considered, with preferred realm 'REALM'
May  3 09:42:41 client rpc.gssd[1254]: CC file '/tmp/krb5cc_0' owned by 0, not 801
May  3 09:42:41 client rpc.gssd[1254]: CC file '/tmp/krb5cc_801_i8ANZJ' being considered, with preferred realm 'REALM'
May  3 09:42:41 client rpc.gssd[1254]: CC file '/tmp/krb5cc_801_i8ANZJ' is expired or corrupt
May  3 09:42:41 client rpc.gssd[1254]: CC file '/tmp/krb5cc_machine_REALM' being considered, with preferred realm 'REALM'
May  3 09:42:41 client rpc.gssd[1254]: CC file '/tmp/krb5cc_machine_REALM' owned by 0, not 801
May  3 09:42:41 client rpc.gssd[1254]: CC file '/tmp/krb5cc_801_EpWWti' being considered, with preferred realm 'REALM'
May  3 09:42:41 client rpc.gssd[1254]: CC file '/tmp/krb5cc_801_EpWWti' is expired or corrupt
May  3 09:42:41 client rpc.gssd[1254]: WARNING: Failed to create krb5 context for user with uid 801 for server nfs-server
May  3 09:42:41 client rpc.gssd[1254]: doing error downcall

All entries are indeed expired (checked with klist).
Comment 1 Dmitri Pal 2011-05-09 18:10:59 EDT
It seems that you are looking for the following functionality.

https://fedorahosted.org/sssd/ticket/369

I think it is disabled by default.
But check the man pages, sssd is well documented.

If you have any questions ask on the https://fedorahosted.org/mailman/listinfo/sssd-devel or #sssd channel on freenode.
Comment 2 Tim Niemueller 2011-05-09 19:11:19 EDT
What is the reasoning not to enable this by default? Disabling it curses desktop sessions to fail after some time, what drawbacks does enabling it have?
Comment 3 Stephen Gallagher 2011-05-10 08:03:24 EDT
(In reply to comment #2)
> What is the reasoning not to enable this by default? Disabling it curses
> desktop sessions to fail after some time, what drawbacks does enabling it have?

It's not enabled by default for several reasons:

 1) It can result in an increased security risk on the system, as keys are valid for a much longer time period without human intervention
 2) Having every client re-keying can result in higher load on the KDC
 3) Many Kerberos deployments do not allow renewals at all (because of 1), above)
 4) In order to reduce the effect of 2), tuning is required to determine how often to automatically re-key.

There are a couple 'gotchas' here. You will need to set the following options in sssd.conf for this to work (see sssd-krb5(5)):

krb5_renewable_lifetime
krb5_renew_interval

The first option sets the complete amount of time that you want your user's TGTs to be renewable (I suspect you want this to be three days, so it would be 'krb5_renewable_lifetime = 3d' The 'gotcha' here is that this is clamped down by the KDC. You need to ensure that your FreeIPA server allows clients to request renewals for at least this length of time.

The second option just specifies how often SSSD should check to see if tickets need to be renewed. I'd suggest in your case that it probably only needs to be about every eight hours, so you would set 'krb5_renew_interval = 28800'.