SSSD generates invalid Kerberos ticket at login
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd |
New
|
Unknown
|
|||
sssd (Ubuntu) |
Triaged
|
Medium
|
Unassigned |
Bug Description
Ubuntu 12.04.1
sssd 1.8.2-0ubuntu1
Arch i386
When SSSD is configured for krb5 auth and a user successfully logs in, the following ticket is generated in /tmp/krb5cc_
klist -c /tmp/krb5cc_
Default principal: <email address hidden>
Valid starting Expires Service principal
31/12/1969 19:00 31/12/1969 19:00 <email address hidden>
The expected outcome is receive a Kerberos ticket with a valid starting and stopping date.
After some experimentation, the issue may be related to the credential cache as deleting the bad ticket, deleting the SSSD cache, and restarting the sssd service seems to produce a valid ticket:
service sssd stop
rm /tmp/krb5cc_
rm -rf /var/lib/sss/db/*
service sssd start
<user log in successful>
klist -c /tmp/krb5cc_
Default principal: <email address hidden>
Valid starting Expires Service principal
20/08/2012 13:49 20/08/2012 23:49 <email address hidden>
renew until 20/08/2012 23:49
Specifying krb5_* options in sssd.conf seems to have no effect on the outcome of the ticket.
Obviously, this bug creates problems for applications and services that require a valid Kerberos ticket such as Kerberized NFS mounts.
description: | updated |
Changed in sssd (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in sssd: | |
status: | Unknown → New |
tags: | added: precise |
You are actually seeing intentional behavior here. What is happening is that the initial login is occurring while SSSD is operating in "offline" mode. Usually this happens when some application makes a request of SSSD during startup before it has access to the remote LDAP server. As a result, it switches into offline operation for two minutes. If you waited two minutes before logging in, you would probably have your authentication transmitted to the KDC and would receive a valid ticket.
The reason for the obviously expired ticket is so that the credential cache is still created. Without doing this, utilities like krb5-auth-dialog would not be able to track the credentials at session login.
There's another way you can mitigate this (designed mainly for the cases where your LDAP/KDC is only available behind VPNs, but will also work for this use-case). You can set the option "krb5_store_ password_ if_offline = True" in the [domain/DOMAINNAME] section of sssd.conf. What this does is store your plaintext password securely in the kernel keyring until the SSSD detects that you have regained access to the KDC. At that time, SSSD will authenticate on your behalf and update the credential cache with your valid TGT.
We don't enable this option by default because it does have a limited risk of exposing your password to the root user on the system (mitigated as best we can with kernel keyring permissions), but if you have exclusive access to your machine, it should be pretty much safe.
Otherwise, you can just get your TGT yourself by running kinit (or unlocking your screen) after a couple minutes have passed.