Uploaded image for project: 'FreeNAS / TrueNAS'
  1. FreeNAS / TrueNAS
  2. NAS-106286

Kerberos ticket not refreshed

    XMLWordPrintable

    Details

    • Impact:
      Medium

      Description

      Ever since upgrading to 11.3 my kerberos ticket would not get refreshed. So far I helped myself by manually creating a crontab which does  a kinit every 6 hours.

      Looking at it again I noticed an error during "/etc/ix.rc.d/ix-kinit renew":
       

      freenas01# /etc/ix.rc.d/ix-kinit renew
      'int' object is not subscriptable
      Traceback (most recent call last):
        File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 130, in call_method
          io_thread=False)
        File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1084, in _call
          return await methodobj(*args)
        File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/kerberos.py", line 365, in renew
          tgt_info = await self._get_cached_klist()
        File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/kerberos.py", line 345, in _get_cached_klist
          if ldap['kerberos_realm']['krb_realm'] in client:
      TypeError: 'int' object is not subscriptable

      The ticket itself FreeNAS got after bootup presumably via "ix-kinit start" (as this command works) seems fine:
       

      freenas01# klist -v
      Credentials cache: FILE:/tmp/krb5cc_0
              Principal: host/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM
          Cache version: 4
      
      Server: krbtgt/IPA.mydomain.com@IPA.MYDOMAIN.COM
      Client: host/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM
      Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
      Ticket length: 384
      Auth time:  May 29 00:09:02 2020
      End time:   May 30 00:09:02 2020
      Renew till: Jun  5 00:09:02 2020
      Ticket flags: enc-pa-rep, pre-authent, initial, renewable, forwardable
      Addresses: addressless
      
      Server: ldap/ipa01.ipa.mydomain.com@IPA.MYDOMAIN.COM
      Client: host/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM
      Ticket etype: aes256-cts-hmac-sha1-96, kvno 2
      Ticket length: 388
      Auth time:  May 29 00:09:02 2020
      Start time: May 29 00:09:05 2020
      End time:   May 30 00:09:02 2020
      Ticket flags: enc-pa-rep, transited-policy-checked, pre-authent
      Addresses: addressless

      LDAP config:
       

      freenas01# midclt call ldap.config
      {
          "id": 1,
          "hostname": ["ipa01.ipa.mydomain.com"],
          "basedn": "cn=compat,dc=ipa,dc=clouddrop,dc=de",
          "binddn": "",
          "bindpw": "test",
          "anonbind": false,
          "kerberos_realm": 1,
          "kerberos_principal": "host/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM",
          "ssl": "ON",
          "certificate": null,
          "validate_certificates": false,
          "disable_freenas_cache": false,
          "timeout": 300,
          "dns_timeout": 30,
          "idmap_backend": "LDAP",
          "has_samba_schema": false,
          "auxiliary_parameters": "",
          "schema": "RFC2307",
          "enable": true,
          "cert_name": null,
          "uri_list": ["ldaps://ipa01.ipa.mydomain.com:636"]
      }

      Not sure if I read the code correctly but "_get_cached_klist" tries to check if ldap['kerberos_realm'] string appears in the "client" field of the LDAP config. But according to ldap.config "kerberos_realm" is just "1" (presumably the index of the defined realms?). Also is it trying to access a subkey with "ldap['kerberos_realm]['krb_realm']" ? krb_realm does not seem to exist neither in the top-level config nor as a subkey of kerberos_realm.
      Could this be the reason why ticket renewals always fail on my machine?

      Thank you for all your work.

        Attachments

          Attachments

            JEditor

              Activity

                People

                Assignee:
                awalker Andrew Walker
                Reporter:
                ppascher Pascal Pascher
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: