Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-96091

The maximum ticket lifetime and maximum renewable of kerberos ticket is not getting renewed on ipa server/client

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Undefined Undefined
    • None
    • rhel-8.10
    • krb5
    • No
    • Low
    • rhel-idm-uah
    • ssg_idm
    • 0
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • x86_64
    • None

      maximum ticket lifetime and maximum renewable of kerberos ticket is not getting renewed

      Env:

      [root@ci-vm-10-0-215-95 ~]# cat /etc/redhat-release
      Red Hat Enterprise Linux release 8.10 (Ootpa)
      [root@ci-vm-10-0-215-95 ~]# rpm -qa | grep sss
      libsss_certmap-2.9.4-5.el8_10.1.x86_64
      libsss_idmap-2.9.4-5.el8_10.1.x86_64
      libsss_nss_idmap-2.9.4-5.el8_10.1.x86_64
      sssd-common-2.9.4-5.el8_10.1.x86_64
      sssd-winbind-idmap-2.9.4-5.el8_10.1.x86_64
      python3-sssdconfig-2.9.4-5.el8_10.1.noarch
      sssd-common-pac-2.9.4-5.el8_10.1.x86_64
      python3-sss-murmur-2.9.4-5.el8_10.1.x86_64
      sssd-tools-2.9.4-5.el8_10.1.x86_64
      libsss_autofs-2.9.4-5.el8_10.1.x86_64
      sssd-nfs-idmap-2.9.4-5.el8_10.1.x86_64
      python3-libsss_nss_idmap-2.9.4-5.el8_10.1.x86_64
      sssd-krb5-common-2.9.4-5.el8_10.1.x86_64
      sssd-idp-2.9.4-5.el8_10.1.x86_64
      python3-sss-2.9.4-5.el8_10.1.x86_64
      libsss_sudo-2.9.4-5.el8_10.1.x86_64
      sssd-kcm-2.9.4-5.el8_10.1.x86_64
      sssd-dbus-2.9.4-5.el8_10.1.x86_64
      sssd-krb5-2.9.4-5.el8_10.1.x86_64
      sssd-client-2.9.4-5.el8_10.1.x86_64
      sssd-ipa-2.9.4-5.el8_10.1.x86_64
      [root@ci-vm-10-0-215-95 ~]# rpm -qa | grep krb5
      krb5-server-1.18.2-30.el8_10.x86_64
      sssd-krb5-common-2.9.4-5.el8_10.1.x86_64
      krb5-workstation-1.18.2-30.el8_10.x86_64
      sssd-krb5-2.9.4-5.el8_10.1.x86_64
      krb5-pkinit-1.18.2-30.el8_10.x86_64
      krb5-libs-1.18.2-30.el8_10.x86_64
      [root@ci-vm-10-0-215-95 ~]# rpm -qa | grep ipa
      python3-iniparse-0.4-31.el8.noarch
      ipa-healthcheck-0.12-4.module+el8.10.0+22138+e77d88cf.noarch
      ipa-server-dns-4.9.13-14.module+el8.10.0+22574+12a10600.noarch
      libipa_hbac-2.9.4-5.el8_10.1.x86_64
      python3-ipaserver-4.9.13-14.module+el8.10.0+22574+12a10600.noarch
      ipa-client-common-4.9.13-14.module+el8.10.0+22574+12a10600.noarch
      ipa-common-4.9.13-14.module+el8.10.0+22574+12a10600.noarch
      ipa-client-4.9.13-14.module+el8.10.0+22574+12a10600.x86_64
      ipa-server-common-4.9.13-14.module+el8.10.0+22574+12a10600.noarch
      ipa-server-trust-ad-4.9.13-14.module+el8.10.0+22574+12a10600.x86_64
      python3-libipa_hbac-2.9.4-5.el8_10.1.x86_64
      ipa-selinux-4.9.13-14.module+el8.10.0+22574+12a10600.noarch
      redhat-logos-ipa-84.5-2.el8.noarch
      python3-ipaclient-4.9.13-14.module+el8.10.0+22574+12a10600.noarch
      ipa-server-4.9.13-14.module+el8.10.0+22574+12a10600.x86_64
      ipa-healthcheck-core-0.12-4.module+el8.10.0+22138+e77d88cf.noarch
      sssd-ipa-2.9.4-5.el8_10.1.x86_64
      python3-ipalib-4.9.13-14.module+el8.10.0+22574+12a10600.noarch
      [root@ci-vm-10-0-215-95 ~]#

      Reproducible steps:

      1] [root@ci-vm-10-0-215-95 ~]# grep 'max' /var/kerberos/krb5kdc/kdc.conf
      max_life = 7d
      max_renewable_life = 14d
      [root@ci-vm-10-0-215-95 ~]#

      2] [root@ci-vm-10-0-215-95 ~]# ipa krbtpolicy-show admin
      Max life: 345600
      Max renew: 432000
      [root@ci-vm-10-0-215-95 ~]#

      3]
      [libdefaults]
      default_realm = HOSTED.UPSHIFT.RDU2.REDHAT.COM
      dns_lookup_realm = false
      dns_lookup_kdc = true
      rdns = false
      ticket_lifetime = 7d
      forwardable = true
      udp_preference_limit = 0

      1. default_ccache_name = KEYRING:persistent:% {uid}
        default_ccache_name = FILE:/tmp/krb5cc_%{uid}

      4] also applied :

      [root@ci-vm-10-0-215-95 ~]# ldapmodify -Y GSSAPI -H ldap://ci-vm-10-0-215-95.hosted.upshift.rdu2.redhat.com <<EOF
      > dn: krbPrincipalName=krbtgt/HOSTED.UPSHIFT.RDU2.REDHAT.COM@HOSTED.UPSHIFT.RDU2.REDHAT.COM,cn=HOSTED.UPSHIFT.RDU2.REDHAT.COM,cn=kerberos,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com
      > changetype: modify
      > replace: krbMaxRenewableAge
      > krbMaxRenewableAge: 1209600
      > -
      > replace: krbMaxTicketLife
      > krbMaxTicketLife: 604800
      > EOF
      SASL/GSSAPI authentication started
      SASL username: admin@HOSTED.UPSHIFT.RDU2.REDHAT.COM
      SASL SSF: 256
      SASL data security layer installed.
      modifying entry "krbPrincipalName=krbtgt/HOSTED.UPSHIFT.RDU2.REDHAT.COM@HOSTED.UPSHIFT.RDU2.REDHAT.COM,cn=HOSTED.UPSHIFT.RDU2.REDHAT.COM,cn=kerberos,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com"

      [root@ci-vm-10-0-215-95 ~]# kdestroy
      [root@ci-vm-10-0-215-95 ~]# kinit admin
      Password for admin@HOSTED.UPSHIFT.RDU2.REDHAT.COM:
      [root@ci-vm-10-0-215-95 ~]# klist
      Ticket cache: KCM:0
      Default principal: admin@HOSTED.UPSHIFT.RDU2.REDHAT.COM

      *Valid starting Expires Service principal
      06/10/2025 12:14:53 06/11/2025 12:00:11 krbtgt/HOSTED.UPSHIFT.RDU2.REDHAT.COM@HOSTED.UPSHIFT.RDU2.REDHAT.COM*
      renew until 06/15/2025 12:14:53

      did not change the expiry date and time

      i have also cross checked few kcs article and followed the same but no luck

      https://access.redhat.com/solutions/3083261

      https://access.redhat.com/solutions/322873

      is this a bug ?

      or am i not checking in proper way ?

              jrische@redhat.com Julien Rische
              rhn-support-rakkumar Rakesh Kumar
              Julien Rische Julien Rische
              Michal Polovka Michal Polovka
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: