Description of problem: A recent upgrade in Fedora 31 (noticed in [1]) broke IPA/kerberos authentication of ssh. It complains about "Ticket expired" even though it's clearly not. [1] https://github.com/cockpit-project/bots/pull/57 Version-Release number of selected component (if applicable): sssd-krb5-2.2.2-1.fc31.x86_64 freeipa-client-4.8.1-1.fc31.x86_64 openssh-8.0p1-8.fc31.1.x86_64 krb5-libs-1.17-45.fc31.x86_64 How reproducible: Always Steps to Reproduce: 1. Join machine to a FreeIPA server 2. Log in as FreeIPA user. This should get you a ticket: $ klist Ticket cache: KCM:420800000 Default principal: admin Valid starting Expires Service principal 01.10.2019 02:38:20 02.10.2019 02:38:20 krbtgt/COCKPIT.LAN 3. Try to ssh into some machine of the domain. In my case, I'm just using the same machine with its public FreeIPA DNS name: $ ssh -vv x0.cockpit.lan Actual results: ssh login through GSSAPI fails: debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Ticket expired debug1: Unspecified GSS failure. Minor code may provide more information Ticket expired debug2: we did not send a packet, disable method debug1: Next authentication method: publickey Note that the ticket is not expired, see klist output (it's valid until tomorrow). Expected results: ssh login succeeds through kerberos: debug1: Next authentication method: gssapi-with-mic debug2: we sent a gssapi-with-mic packet, wait for reply debug1: Authentication succeeded (gssapi-with-mic). Authenticated to x0.cockpit.lan (via proxy). debug1: channel 0: new [client-session] Additional info:
Why did you file this against sssd? Sounds like krb5 or ssh related.
Sounds like a duplicate of a ticket filed earlier, dupclosing *** This bug has been marked as a duplicate of bug 1757224 ***
(In reply to Simo Sorce from comment #1) > Why did you file this against sssd? > Sounds like krb5 or ssh related. Or maybe KCM? It might be good to check if there is the same issue with KEYRING. bye, Sumit