Undefined The maximum ticket lifetime and maximum renewable of kerberos ticket is not getting renewed on ipa server/client
env:
cat installed-rpms | grep krb5
krb5-libs-1.21.1-4.el9_5.x86_64 Fri Feb 14 10:55:39 2025
krb5-pkinit-1.21.1-4.el9_5.x86_64 Fri Feb 14 14:01:45 2025
krb5-server-1.21.1-4.el9_5.x86_64 Fri Feb 14 14:01:50 2025
krb5-workstation-1.21.1-4.el9_5.x86_64 Fri Feb 14 14:01:47 2025
samba-krb5-printing-4.20.2-2.el9_5.x86_64 Mon Feb 24 09:48:56 2025
samba-winbind-krb5-locator-4.20.2-2.el9_5.x86_64 Mon Feb 24 09:46:55 2025
sssd-krb5-2.9.5-4.el9_5.4.x86_64 Fri Feb 14 10:57:51 2025
sssd-krb5-common-2.9.5-4.el9_5.4.x86_64 Fri Feb 14 10:57:51 2025
ipa-client-4.12.2-1.el9_5.4.x86_64 Fri Feb 14 14:02:08 2025
ipa-client-common-4.12.2-1.el9_5.4.noarch Fri Feb 14 14:01:45 2025
ipa-common-4.12.2-1.el9_5.4.noarch Fri Feb 14 14:02:00 2025
ipa-healthcheck-0.16-4.el9.noarch Mon Feb 24 16:03:01 2025
ipa-healthcheck-core-0.16-4.el9.noarch Fri Feb 14 14:02:00 2025
ipa-selinux-4.12.2-1.el9_5.4.noarch Fri Feb 14 14:01:50 2025
ipa-server-4.12.2-1.el9_5.4.x86_64 Fri Feb 14 14:02:12 2025
ipa-server-common-4.12.2-1.el9_5.4.noarch Fri Feb 14 14:02:03 2025
ipa-server-dns-4.12.2-1.el9_5.4.noarch Fri Feb 14 14:02:12 2025
ipa-server-trust-ad-4.12.2-1.el9_5.4.x86_64 Mon Feb 24 09:52:02 2025
sssd-2.9.5-4.el9_5.4.x86_64
reproducible step:
[root@ci-vm-10-x.x.x~]# klist
Ticket cache: KCM:0
Default principal: admin@HOSTED.UPSHIFT.RDU2.REDHAT.COM
Valid starting Expires Service principal
06/10/2025 12:04:17 06/11/2025 11:16:36 krbtgt/HOSTED.UPSHIFT.RDU2.REDHAT.COM@HOSTED.UPSHIFT.RDU2.REDHAT.COM
renew until 06/15/2025 12:04:17
[root@ci-vm-10-x.x.x ~]# grep 'max' /var/kerberos/krb5kdc/kdc.conf
max_life = 7d
max_renewable_life = 14d
[root@ci-vm-10-x.x.x ~]# kinit -l 1d -r 7d
Password for admin@HOSTED.UPSHIFT.RDU2.REDHAT.COM:
[root@ci-vm-10-x.x.x ~]# grep 'max' /var/kerberos/krb5kdc/kdc.conf
max_life = 7d
max_renewable_life = 14d
[root@ci-vm-10-x.x.x ~]# hostname
ci-vm-10-0-215-95.hosted.upshift.rdu2.redhat.com
[root@ci-vm-10-x.x.x ~]# ldapmodify -Y GSSAPI -H ldap://ci-vm-10-0-215-95.hosted.upshift.rdu2.redhat.com <<EOF
> dn: krbPrincipalName=krbtgt/HOSTED.UPSHIFT.RDU2.REDHAT.COM@HOSTED.UPSHIFT.RDU2.REDHAT.COM,cn=HOSTED.UPSHIFT.RDU2.REDHAT.COM,cn=kerberos,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com
> changetype: modify
> replace: krbMaxRenewableAge
> krbMaxRenewableAge: 1209600
> -
> replace: krbMaxTicketLife
> krbMaxTicketLife: 604800
> EOF
SASL/GSSAPI authentication started
SASL username: admin@HOSTED.UPSHIFT.RDU2.REDHAT.COM
SASL SSF: 256
SASL data security layer installed.
modifying entry "krbPrincipalName=krbtgt/HOSTED.UPSHIFT.RDU2.REDHAT.COM@HOSTED.UPSHIFT.RDU2.REDHAT.COM,cn=HOSTED.UPSHIFT.RDU2.REDHAT.COM,cn=kerberos,dc=hosted,dc=upshift,dc=rdu2,dc=redhat,dc=com"
[root@ci-vm-10-x.x.x ~]# kdestroy
[root@ci-vm-10-x.x.x ~]# kinit admin
Password for admin@HOSTED.UPSHIFT.RDU2.REDHAT.COM:
[root@ci-vm-10-x.x.x ~]# klist
Ticket cache: KCM:0
Default principal: admin@HOSTED.UPSHIFT.RDU2.REDHAT.COM
Valid starting Expires Service principal
06/10/2025 12:14:53 06/11/2025 12:00:11 krbtgt/HOSTED.UPSHIFT.RDU2.REDHAT.COM@HOSTED.UPSHIFT.RDU2.REDHAT.COM
renew until 06/15/2025 12:14:53
we tried to clear
kdestroy
#systemctl stop sssd ; rm -f /var/log/sssd/* /var/lib/sss/
{db,mc}/* ; systemctl start sssd
- systemctl restart krb5kdc.service
- ipactl restart
#kinit username
#klist
but no luck.
am i checking in appropriate way ?
or is this a bug ?
