Red Hat Bugzilla – Bug 701545
Over-weekend login Kerberos keys are not renewed
Last modified: 2011-05-23 14:47:47 EDT
Description of problem:
A common thing in our lab is to leave turned on your workstation during the weekend, for example to use it later to login and work. This frequently leads to the problem that when coming after the weekend, and the workstation was not used, that the Kerberos CC has expired and has not been automatically renewed.
In that situation logins via SSH fail and the screensaver hangs; actually it looks as if the whole desktop freezes, that's probably due to the unavailability of the user's home dir mounted via NFSv4 protected by Kerberos. One way to recover was to login as root and do "su tim -c kinit". This creates a new credentials cache and the system almost immediately comes back to life.
I'm not sure what the proper component is here, I'm filing against ipa-client because I'm certain that people who know what to do get it. It might be that sssd should renew the keys, or possibly gnome-screensaver on an unlock attempt (which might be a problem because the user's home dir is not available in that situation)? The freeipa-server runs on a F-15 machine, the client which freezes is a F-14 machine. A CentOS 5.6 machine is involved as file-server.
In this state it would be hard to introduce FreeIPA/Kerberos as it would cause frequent issue reports because it is a common use case for us.
Version-Release number of selected component (if applicable):
- On the client:
- On the FreeIPA server:
- On the file server:
Steps to Reproduce:
1. Login to a FreeIPA client machine
2. Leave it unattended until the Kerberos tickets expire (make sure that password locking to screensaver is enabled)
3. Try to unlock the screen
Machine is "frozen", e.g. no desktop interaction is possible.
After giving the correct password screen is unlocked and desktop accessible.
/var/log/messages contains entries like the following:
May 3 09:42:41 client rpc.gssd: CC file '/tmp/krb5cc_0' being considered, with preferred realm 'REALM'
May 3 09:42:41 client rpc.gssd: CC file '/tmp/krb5cc_0' owned by 0, not 801
May 3 09:42:41 client rpc.gssd: CC file '/tmp/krb5cc_801_i8ANZJ' being considered, with preferred realm 'REALM'
May 3 09:42:41 client rpc.gssd: CC file '/tmp/krb5cc_801_i8ANZJ' is expired or corrupt
May 3 09:42:41 client rpc.gssd: CC file '/tmp/krb5cc_machine_REALM' being considered, with preferred realm 'REALM'
May 3 09:42:41 client rpc.gssd: CC file '/tmp/krb5cc_machine_REALM' owned by 0, not 801
May 3 09:42:41 client rpc.gssd: CC file '/tmp/krb5cc_801_EpWWti' being considered, with preferred realm 'REALM'
May 3 09:42:41 client rpc.gssd: CC file '/tmp/krb5cc_801_EpWWti' is expired or corrupt
May 3 09:42:41 client rpc.gssd: WARNING: Failed to create krb5 context for user with uid 801 for server nfs-server
May 3 09:42:41 client rpc.gssd: doing error downcall
All entries are indeed expired (checked with klist).
It seems that you are looking for the following functionality.
I think it is disabled by default.
But check the man pages, sssd is well documented.
If you have any questions ask on the https://fedorahosted.org/mailman/listinfo/sssd-devel or #sssd channel on freenode.
What is the reasoning not to enable this by default? Disabling it curses desktop sessions to fail after some time, what drawbacks does enabling it have?
(In reply to comment #2)
> What is the reasoning not to enable this by default? Disabling it curses
> desktop sessions to fail after some time, what drawbacks does enabling it have?
It's not enabled by default for several reasons:
1) It can result in an increased security risk on the system, as keys are valid for a much longer time period without human intervention
2) Having every client re-keying can result in higher load on the KDC
3) Many Kerberos deployments do not allow renewals at all (because of 1), above)
4) In order to reduce the effect of 2), tuning is required to determine how often to automatically re-key.
There are a couple 'gotchas' here. You will need to set the following options in sssd.conf for this to work (see sssd-krb5(5)):
The first option sets the complete amount of time that you want your user's TGTs to be renewable (I suspect you want this to be three days, so it would be 'krb5_renewable_lifetime = 3d' The 'gotcha' here is that this is clamped down by the KDC. You need to ensure that your FreeIPA server allows clients to request renewals for at least this length of time.
The second option just specifies how often SSSD should check to see if tickets need to be renewed. I'd suggest in your case that it probably only needs to be about every eight hours, so you would set 'krb5_renew_interval = 28800'.