[Freeipa-users] Re: sss_krb5_expire_callback_func: "Time to expire out of range" after unsyncronized clocks

[Alexander Bokovoy via FreeIPA-users]

On Няд, 30 сак 2025, Sebastian Schubert via FreeIPA-users wrote:

Hello all

I run a FreeIPA server on RHEL and have several Fedora 41 clients. On
one client, due to some configuration issues from my side, my system
clock was 1 hour off after today's switch to daylight saving time. SSSD
and kerberos obviously did not like it.

On the client, after fixing the time and cleaning the cache with
sss_cache -E and a restart, login is working again fine. However, I
still have kerberos issues, which results in issues accessing my NFS
server. I use automount of the shares in the /data folder. I get

sss_cache -E does not remove the cache. To remove the cache completely,
please use `sssctl cache-remove` instead.

sebastian@kiste /data $ cd documents/
bash: cd: documents/: No such file or directory

Here is the kerberos issue:

root@kiste:~# cat /var/log/sssd/krb5_child.log
...
(2025-03-30 12:23:40): [krb5_child[7152]]
[sss_krb5_expire_callback_func] (0x0020): [RID#127] Time to expire out
of range.

"Time to expire out of range" means the user's password expiration time
as reported by Kerberos from the KDC side is in past compared to the
system time.

Potential points to look at:

 - user account's password expiration date with `ipa user-show username
   --all|grep expiration`

 - time on the IPA server side, maybe restarting krb5kdc would be
   required?

 - time local on the host, maybe full restart of sssd processes is
   needed to make sure it picks up TZ change?

********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING
BACKTRACE:
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [sss_log_process_caps]
(0x0100): [RID#127] Starting under ruid=965, euid=965, suid=965 :
rgid=965, egid=965, sgid=965
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [sss_log_process_caps]
(0x0100): [RID#127] With following capabilities:
        CAP_DAC_READ_SEARCH: effective =  0 , permitted = *1*,
inheritable =  0 , bounding = *1*
                 CAP_SETGID: effective =  0 , permitted = *1*,
inheritable =  0 , bounding = *1*
                 CAP_SETUID: effective =  0 , permitted = *1*,
inheritable =  0 , bounding = *1*
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [unpack_buffer]
(0x1000): [RID#127] total buffer size: [114]
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [unpack_buffer]
(0x0100): [RID#127] cmd [241 (auth)] uid [607000003] gid [607000003]
validate [true] enterprise principal [false] offline [false] UPN
[sebast...@vierwaende.home]
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [unpack_buffer]
(0x0100): [RID#127] ccname: [KCM:] old_ccname: [KCM:] keytab:
[/etc/krb5.keytab]
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [k5c_check_old_ccache]
(0x4000): [RID#127] Old ccache is [KCM:] and is  active and TGT is
valid.
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [k5c_precheck_ccache]
(0x4000): [RID#127] Reusing old ccache [KCM:]
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [k5c_setup_fast]
(0x0100): [RID#127] Fast principal is set to
[host/kiste.vierwaende.h...@vierwaende.home]
  *  (2025-03-30 12:23:40): [krb5_child[7152]]
[find_principal_in_keytab] (0x4000): [RID#127] Trying to find principal
host/kiste.vierwaende.h...@vierwaende.home in keytab.
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [match_principal]
(0x1000): [RID#127] Principal matched to the sample
(host/kiste.vierwaende.h...@vierwaende.home).
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [check_fast_ccache]
(0x0200): [RID#127] FAST TGT is still valid.
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [sss_log_process_caps]
(0x0100): [RID#127] Running under ruid=607000003, euid=607000003,
suid=965 : rgid=607000003, egid=607000003, sgid=965
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [sss_log_process_caps]
(0x0100): [RID#127] With following capabilities:
  (nothing)
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [set_lifetime_options]
(0x0100): [RID#127] Renewable lifetime is set to [7d]
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [set_lifetime_options]
(0x0100): [RID#127] No specific lifetime requested.
  *  (2025-03-30 12:23:40): [krb5_child[7152]]
[set_canonicalize_option] (0x0100): [RID#127] Canonicalization is set
to [true]
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [main] (0x0400):
[RID#127] Will perform auth
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [main] (0x0400):
[RID#127] Will perform online auth
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [tgt_req_child]
(0x1000): [RID#127] Attempting to get a TGT
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [get_and_save_tgt]
(0x0400): [RID#127] Attempting kinit for realm [VIERWAENDE.HOME]
  *  (2025-03-30 12:23:40): [krb5_child[7152]] [sss_krb5_responder]
(0x4000): [RID#127] Got question [password].
  *  (2025-03-30 12:23:40): [krb5_child[7152]]
[sss_krb5_expire_callback_func] (0x0020): [RID#127] Time to expire out
of range.
********************** BACKTRACE DUMP ENDS HERE
*********************************


I tried to kdestroy the kerberos ticket I could find, both that of root
and of my user. Restarted (just to be sure) but it did not help. As
root, I have:

root@kiste:~# klist
Ticketzwischenspeicher: KCM:0:50421
Standard-Principal: host/kiste.vierwaende.h...@vierwaende.home

Valid starting       Expires              Service principal
01.01.1970 01:00:00  01.01.1970 01:00:00
Encrypted/Credentials/v1@X-GSSPROXY:


As the user, it is:

sebastian@kiste ~ $ klist
Ticket cache: KCM:607000003:46693
Default principal: sebast...@vierwaende.home

Valid starting       Expires              Service principal
30.03.2025 12:23:39  31.03.2025 11:31:45
krbtgt/vierwaende.h...@vierwaende.home
        renew until 06.04.2025 12:23:39

Any idea what do?

I set-up everything about 3 years ago and my knowledge of FreeIPA,
Kerberos et al. has slowly declined since then. So it is totally
possible I miss some obvious thing.

Thanks a lot for your help!
Sebastian
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue