Kerberos ticket not refreshed
Description
Problem/Justification
Impact
SmartDraw Connector
Katalon Manual Tests (BETA)
Activity
Pascal Pascher May 29, 2020 at 8:19 PM(edited)
I forgot to restart middlewared after changing the permitted buffer to test. It works correctly now. Issue is resolved. Thank you.
Pascal Pascher May 29, 2020 at 2:31 PM(edited)
Thanks Andrew. I tried tried the fix (replacing kerberos.py) and got a cached entry:
The /etc/ix.rc.d/ix-kinit renew did not seem to renew the ticket though even after manually setting the "permitted buffer" variable in the kerberos.py renew function for ldap_TGT to 720 minutes (well within the delta). But maybe I am misunderstanding the code.
Andrew Walker May 29, 2020 at 12:22 PM
Hi Pascal, thanks for reporting the issue. I have a WIP fix here: https://raw.githubusercontent.com/freenas/freenas/a8f71e9c71d5fd175435c453e22fc3a6c5dc17e2/src/middlewared/middlewared/plugins/kerberos.py
If you are up to verifying that it fixes your issue, try the following:
1) clone your boot environment
2) replace /usr/local/lib/python3.7/site-packages/middlewared/plugins/ldap.py with the file above
3) restart the middlewared process "service middlewared restart"
4) run command "midclt call kerberos._get_cached_klist"
You can revert to the default configuration by either rolling back boot environments (or keeping a backup of the file before doing step 2, copying it back, and restarting the middleware).
Details
Details
Assignee
Reporter
Labels
Impact
Components
Fix versions
Priority
LowMore fields
Time tracking
More fields
Time trackingKatalon Platform
Linked Test Cases, Katalon Defect Results, Katalon Studio Test Results
Katalon Platform
Ever since upgrading to 11.3 my kerberos ticket would not get refreshed. So far I helped myself by manually creating a crontab which does a kinit every 6 hours.
Looking at it again I noticed an error during "/etc/ix.rc.d/ix-kinit renew":
freenas01# /etc/ix.rc.d/ix-kinit renew
'int' object is not subscriptable
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 130, in call_method
io_thread=False)
File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1084, in _call
return await methodobj(*args)
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/kerberos.py", line 365, in renew
tgt_info = await self._get_cached_klist()
File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/kerberos.py", line 345, in _get_cached_klist
if ldap['kerberos_realm']['krb_realm'] in client:
TypeError: 'int' object is not subscriptable
The ticket itself FreeNAS got after bootup presumably via "ix-kinit start" (as this command works) seems fine:
freenas01# klist -v
Credentials cache: FILE:/tmp/krb5cc_0
Principal: host/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM
Cache version: 4
Server: krbtgt/IPA.mydomain.com@IPA.MYDOMAIN.COM
Client: host/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 384
Auth time: May 29 00:09:02 2020
End time: May 30 00:09:02 2020
Renew till: Jun 5 00:09:02 2020
Ticket flags: enc-pa-rep, pre-authent, initial, renewable, forwardable
Addresses: addressless
Server: ldap/ipa01.ipa.mydomain.com@IPA.MYDOMAIN.COM
Client: host/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM
Ticket etype: aes256-cts-hmac-sha1-96, kvno 2
Ticket length: 388
Auth time: May 29 00:09:02 2020
Start time: May 29 00:09:05 2020
End time: May 30 00:09:02 2020
Ticket flags: enc-pa-rep, transited-policy-checked, pre-authent
Addresses: addressless
LDAP config:
freenas01# midclt call ldap.config
{
"id": 1,
"hostname": ["ipa01.ipa.mydomain.com"],
"basedn": "cn=compat,dc=ipa,dc=clouddrop,dc=de",
"binddn": "",
"bindpw": "test",
"anonbind": false,
"kerberos_realm": 1,
"kerberos_principal": "host/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM",
"ssl": "ON",
"certificate": null,
"validate_certificates": false,
"disable_freenas_cache": false,
"timeout": 300,
"dns_timeout": 30,
"idmap_backend": "LDAP",
"has_samba_schema": false,
"auxiliary_parameters": "",
"schema": "RFC2307",
"enable": true,
"cert_name": null,
"uri_list": ["ldaps://ipa01.ipa.mydomain.com:636"]
}
Not sure if I read the code correctly but "_get_cached_klist" tries to check if ldap['kerberos_realm'] string appears in the "client" field of the LDAP config. But according to ldap.config "kerberos_realm" is just "1" (presumably the index of the defined realms?). Also is it trying to access a subkey with "ldap['kerberos_realm]['krb_realm']" ? krb_realm does not seem to exist neither in the top-level config nor as a subkey of kerberos_realm.
Could this be the reason why ticket renewals always fail on my machine?
Thank you for all your work.