Hello all
I run a FreeIPA server on RHEL and have several Fedora 41 clients. On
one client, due to some configuration issues from my side, my system
clock was 1 hour off after today's switch to daylight saving time. SSSD
and kerberos obviously did not like it.
On the client, after fixing the time and cleaning the cache with
sss_cache -E and a restart, login is working again fine. However, I
still have kerberos issues, which results in issues accessing my NFS
server. I use automount of the shares in the /data folder. I get
sebastian@kiste /data $ cd documents/
bash: cd: documents/: No such file or directory
Here is the kerberos issue:
root@kiste:~# cat /var/log/sssd/krb5_child.log
...
(2025-03-30 12:23:40): [krb5_child[7152]]
[sss_krb5_expire_callback_func] (0x0020): [RID#127] Time to expire out
of range.
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
* (2025-03-30 12:23:40): [krb5_child[7152]] [sss_log_process_caps]
(0x0100): [RID#127] Starting under ruid=965, euid=965, suid=965 :
rgid=965, egid=965, sgid=965
* (2025-03-30 12:23:40): [krb5_child[7152]] [sss_log_process_caps]
(0x0100): [RID#127] With following capabilities:
CAP_DAC_READ_SEARCH: effective = 0 , permitted = *1*,
inheritable = 0 , bounding = *1*
CAP_SETGID: effective = 0 , permitted = *1*,
inheritable = 0 , bounding = *1*
CAP_SETUID: effective = 0 , permitted = *1*,
inheritable = 0 , bounding = *1*
* (2025-03-30 12:23:40): [krb5_child[7152]] [unpack_buffer]
(0x1000): [RID#127] total buffer size: [114]
* (2025-03-30 12:23:40): [krb5_child[7152]] [unpack_buffer]
(0x0100): [RID#127] cmd [241 (auth)] uid [607000003] gid [607000003]
validate [true] enterprise principal [false] offline [false] UPN
[[email protected]]
* (2025-03-30 12:23:40): [krb5_child[7152]] [unpack_buffer]
(0x0100): [RID#127] ccname: [KCM:] old_ccname: [KCM:] keytab:
[/etc/krb5.keytab]
* (2025-03-30 12:23:40): [krb5_child[7152]] [k5c_check_old_ccache]
(0x4000): [RID#127] Old ccache is [KCM:] and is active and TGT is
valid.
* (2025-03-30 12:23:40): [krb5_child[7152]] [k5c_precheck_ccache]
(0x4000): [RID#127] Reusing old ccache [KCM:]
* (2025-03-30 12:23:40): [krb5_child[7152]] [k5c_setup_fast]
(0x0100): [RID#127] Fast principal is set to
[host/[email protected]]
* (2025-03-30 12:23:40): [krb5_child[7152]]
[find_principal_in_keytab] (0x4000): [RID#127] Trying to find principal
host/[email protected] in keytab.
* (2025-03-30 12:23:40): [krb5_child[7152]] [match_principal]
(0x1000): [RID#127] Principal matched to the sample
(host/[email protected]).
* (2025-03-30 12:23:40): [krb5_child[7152]] [check_fast_ccache]
(0x0200): [RID#127] FAST TGT is still valid.
* (2025-03-30 12:23:40): [krb5_child[7152]] [sss_log_process_caps]
(0x0100): [RID#127] Running under ruid=607000003, euid=607000003,
suid=965 : rgid=607000003, egid=607000003, sgid=965
* (2025-03-30 12:23:40): [krb5_child[7152]] [sss_log_process_caps]
(0x0100): [RID#127] With following capabilities:
(nothing)
* (2025-03-30 12:23:40): [krb5_child[7152]] [set_lifetime_options]
(0x0100): [RID#127] Renewable lifetime is set to [7d]
* (2025-03-30 12:23:40): [krb5_child[7152]] [set_lifetime_options]
(0x0100): [RID#127] No specific lifetime requested.
* (2025-03-30 12:23:40): [krb5_child[7152]]
[set_canonicalize_option] (0x0100): [RID#127] Canonicalization is set
to [true]
* (2025-03-30 12:23:40): [krb5_child[7152]] [main] (0x0400):
[RID#127] Will perform auth
* (2025-03-30 12:23:40): [krb5_child[7152]] [main] (0x0400):
[RID#127] Will perform online auth
* (2025-03-30 12:23:40): [krb5_child[7152]] [tgt_req_child]
(0x1000): [RID#127] Attempting to get a TGT
* (2025-03-30 12:23:40): [krb5_child[7152]] [get_and_save_tgt]
(0x0400): [RID#127] Attempting kinit for realm [VIERWAENDE.HOME]
* (2025-03-30 12:23:40): [krb5_child[7152]] [sss_krb5_responder]
(0x4000): [RID#127] Got question [password].
* (2025-03-30 12:23:40): [krb5_child[7152]]
[sss_krb5_expire_callback_func] (0x0020): [RID#127] Time to expire out
of range.
********************** BACKTRACE DUMP ENDS HERE
*********************************
I tried to kdestroy the kerberos ticket I could find, both that of root
and of my user. Restarted (just to be sure) but it did not help. As
root, I have:
root@kiste:~# klist
Ticketzwischenspeicher: KCM:0:50421
Standard-Principal: host/[email protected]
Valid starting Expires Service principal
01.01.1970 01:00:00 01.01.1970 01:00:00
Encrypted/Credentials/v1@X-GSSPROXY:
As the user, it is:
sebastian@kiste ~ $ klist
Ticket cache: KCM:607000003:46693
Default principal: [email protected]
Valid starting Expires Service principal
30.03.2025 12:23:39 31.03.2025 11:31:45
krbtgt/[email protected]
renew until 06.04.2025 12:23:39
Any idea what do?
I set-up everything about 3 years ago and my knowledge of FreeIPA,
Kerberos et al. has slowly declined since then. So it is totally
possible I miss some obvious thing.
Thanks a lot for your help!
Sebastian
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
