[Freeipa-users] Kerberos kew renewal not working

Tim Niemueller niemueller at kbsg.rwth-aachen.de
Thu Aug 11 08:14:09 UTC 2011 

Hi all.

We have setup FreeIPA on a F-15 virtual machine. I'm currently testing 
with a F-14 client. We would like to keep F-14, as F-15 seems not 
generally stable enough for wide deployment (graphics issues etc.). I 
have described the setup a bit at http://www.niemueller.de/blog/id/245, 
which was possible only through numerous IRC sessions on #freeipa. This 
issue here seems a little more long-standing, hence the mail this time.

I'm having a hard time getting the setup running reliably. Initial login 
and desktop use works fine. But a typical use case is leaving the 
desktop running overnight with just the screen locked (there might be 
stuff running in the background). Now, if I return the next day and try 
to use the machine the machine is frozen and cannot be used. Tickets 
have not been renewed, in particular the one for the NFSv4 server 
protected by Kerbero (sec=krb5). It just expired after 24h.

The problem can be recreated quickly with a shorter 5 minute lifetime 
with the following modifications (on the client).

This assumes that you have /home mounted via Kerberos-protected NFSv4 share!

In /etc/sssd/sssd.conf:
[domain/somedomain]
krb5_renewable_lifetime = 14d
krb5_renew_interval = 60
krb5_lifetime = 5m

[domain/default]
krb5_renewable_lifetime = 14d
krb5_renew_interval = 60
krb5_lifetime = 5m

Then reboot (just restarting sssd does not always show the problem, 
especially if you had been logged in before).
Then login and wait five minutes, the machine freezes, as the NFS key 
has expired. If you do a klist just before the timeout expires, you see 
that the keys have not been renewed as expected (but the renewable end 
time is still way in the future, even if the FreeIPA server default of 
7d was not increased). Maybe I need to set some magic flag for rpc.gssd, 
but I couldn't find it.

Is there something I can do on my side to get this working? Or is it a 
FreeIPA or sssd shortcoming, or even "intended not to work by design"?

Ideally, I want to make it possible for users to just keep logged in all 
the time, so even acquiring new tickets automatically by requesting an 
intermediate user authentication or just doing it from the screensaver 
would be great, but I guess with /home mounted I'm pretty much out of 
luck? Is there alternatively a way to only authenticate the host via 
krb5, but not the user? In the old days we would simply use IP addresses 
to allow access. Well, that's bad, but having just the host authenticate 
to prevent laptop road warriors from snooping around could be just 
enough for us and avoid user ticket renewal, any idea?

Thanks for your input.
	Tim

-- 
KBSG - Knowledge-Based Systems Group            AllemaniACs RoboCup Team
========================================================================
http://robocup.rwth-aachen.de                     RWTH Aachen University
http://kbsg.rwth-aachen.de                               Ahornstrasse 55
http://www.fawkesrobotics.org                             D-52056 Aachen

More information about the Freeipa-users mailing list