Bug 677318 - Does not read renewable ccache at startup.
Does not read renewable ccache at startup.
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.1
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Stephen Gallagher
Chandrasekar Kannan
:
Depends On:
Blocks: 679097
  Show dependency treegraph
 
Reported: 2011-02-14 05:56 EST by Gowrishankar Rajaiyan
Modified: 2015-01-04 18:46 EST (History)
6 users (show)

See Also:
Fixed In Version: sssd-1.5.1-10.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 679097 (view as bug list)
Environment:
Last Closed: 2011-05-19 07:38:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
sssd_default.log (40.68 KB, text/plain)
2011-02-14 05:56 EST, Gowrishankar Rajaiyan
no flags Details

  None (edit)
Description Gowrishankar Rajaiyan 2011-02-14 05:56:04 EST
Created attachment 478603 [details]
sssd_default.log

Description of problem:


Version-Release number of selected component (if applicable):
sssd-1.5.1-5.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Login as puser1

-bash-4.1$ klist 
Ticket cache: FILE:/tmp/krb5_cache/krb5cc_puser1
Default principal: puser1@EXAMPLE.COM

Valid starting     Expires            Service principal
02/14/11 15:45:51  02/14/11 15:47:51  krbtgt/EXAMPLE.COM@EXAMPLE.COM
	renew until 02/14/11 15:50:51

2. and check for "[renew_all_tgts] (9): Checking [FILE:/tmp/krb5_cache/krb5cc_puser1] for renewal at [Mon Feb 14 15:46:51 2011]."
3. Stop KDC
4. and in the logs ... "[renew_handler] (7): Offline, adding renewal task to online callbacks."
5. Now start KDC and restart SSSD. (make sure to start both of them well within "renew until" time)
  
Actual results:
checking for renewing the tgt does not resume during startup.

Expected results:
Should read the renewable ccache at startup.

Additional info:
KDC setup:
kadmin.local:  getprinc krbtgt/EXAMPLE.COM@EXAMPLE.COM
Principal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 0 days 00:02:00
Maximum renewable life: 0 days 00:05:00
Last modified: Mon Feb 14 04:17:42 EST 2011 (root/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 7
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with RSA-MD5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
MKey: vno 1
Attributes:
Policy: [none]

kadmin.local:  getprinc puser1@EXAMPLE.COM
Principal: puser1@EXAMPLE.COM
Expiration date: [never]
Last password change: Mon Feb 14 01:07:17 EST 2011
Password expiration date: [none]
Maximum ticket life: 0 days 00:02:00
Maximum renewable life: 0 days 00:05:00
Last modified: Mon Feb 14 04:17:49 EST 2011 (root/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 26, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 26, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 26, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 26, ArcFour with HMAC/md5, no salt
Key: vno 26, DES with HMAC/sha1, no salt
Key: vno 26, DES cbc mode with RSA-MD5, no salt
Key: vno 26, DES cbc mode with CRC-32, Version 4
Key: vno 26, DES cbc mode with CRC-32, AFS version 3
MKey: vno 1
Attributes:
Policy: [none]


Relevant SSSD section:
[domain/default]
id_provider = ldap
ldap_uri = ldaps://sssdldap.idm.lab.bos.redhat.com:636
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc
cache_credentials = false
enumerate = false
debug_level = 9

auth_provider = krb5
krb5_kdcip = sssdldap.idm.lab.bos.redhat.com
krb5_realm = EXAMPLE.COM
chpass_provider = krb5
krb5_ccachedir = /tmp/krb5_cache
krb5_ccname_template = FILE:%d/krb5cc_%u

krb5_renewable_lifetime = 5m
krb5_lifetime = 120s
krb5_renew_interval = 10s
Comment 1 Gowrishankar Rajaiyan 2011-02-14 06:02:11 EST
This issue is being tracked by upstream bug
https://fedorahosted.org/sssd/ticket/796
Comment 6 Gowrishankar Rajaiyan 2011-03-10 01:34:46 EST
Checking for renewing the tgt does resume during startup, as expected.

Verified: # rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 13.el6                        Build Date: Tue 08 Mar 2011 10:25:44 PM IST
Install Date: Wed 09 Mar 2011 07:17:15 PM IST      Build Host: x86-005.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-13.el6.src.rpm
Size        : 3418301                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 7 errata-xmlrpc 2011-05-19 07:38:39 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Comment 8 errata-xmlrpc 2011-05-19 09:09:33 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html

Note You need to log in before you can comment on or make changes to this bug.