Uploaded image for project: 'TrueNAS'
  1. TrueNAS
  2. NAS-106286

Kerberos ticket not refreshed

    XMLWordPrintable

Details

    • Medium

    Description

      Ever since upgrading to 11.3 my kerberos ticket would not get refreshed. So far I helped myself by manually creating a crontab which does  a kinit every 6 hours.

      Looking at it again I noticed an error during "/etc/ix.rc.d/ix-kinit renew":
       

      freenas01# /etc/ix.rc.d/ix-kinit renew
      'int' object is not subscriptable
      Traceback (most recent call last):
        File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 130, in call_method
          io_thread=False)
        File "/usr/local/lib/python3.7/site-packages/middlewared/main.py", line 1084, in _call
          return await methodobj(*args)
        File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/kerberos.py", line 365, in renew
          tgt_info = await self._get_cached_klist()
        File "/usr/local/lib/python3.7/site-packages/middlewared/plugins/kerberos.py", line 345, in _get_cached_klist
          if ldap['kerberos_realm']['krb_realm'] in client:
      TypeError: 'int' object is not subscriptable

      The ticket itself FreeNAS got after bootup presumably via "ix-kinit start" (as this command works) seems fine:
       

      freenas01# klist -v
      Credentials cache: FILE:/tmp/krb5cc_0
              Principal: host/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM
          Cache version: 4
      
      Server: krbtgt/IPA.mydomain.com@IPA.MYDOMAIN.COM
      Client: host/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM
      Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
      Ticket length: 384
      Auth time:  May 29 00:09:02 2020
      End time:   May 30 00:09:02 2020
      Renew till: Jun  5 00:09:02 2020
      Ticket flags: enc-pa-rep, pre-authent, initial, renewable, forwardable
      Addresses: addressless
      
      Server: ldap/ipa01.ipa.mydomain.com@IPA.MYDOMAIN.COM
      Client: host/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM
      Ticket etype: aes256-cts-hmac-sha1-96, kvno 2
      Ticket length: 388
      Auth time:  May 29 00:09:02 2020
      Start time: May 29 00:09:05 2020
      End time:   May 30 00:09:02 2020
      Ticket flags: enc-pa-rep, transited-policy-checked, pre-authent
      Addresses: addressless

      LDAP config:
       

      freenas01# midclt call ldap.config
      {
          "id": 1,
          "hostname": ["ipa01.ipa.mydomain.com"],
          "basedn": "cn=compat,dc=ipa,dc=clouddrop,dc=de",
          "binddn": "",
          "bindpw": "test",
          "anonbind": false,
          "kerberos_realm": 1,
          "kerberos_principal": "host/freenas01.ipa.mydomain.com@IPA.MYDOMAIN.COM",
          "ssl": "ON",
          "certificate": null,
          "validate_certificates": false,
          "disable_freenas_cache": false,
          "timeout": 300,
          "dns_timeout": 30,
          "idmap_backend": "LDAP",
          "has_samba_schema": false,
          "auxiliary_parameters": "",
          "schema": "RFC2307",
          "enable": true,
          "cert_name": null,
          "uri_list": ["ldaps://ipa01.ipa.mydomain.com:636"]
      }

      Not sure if I read the code correctly but "_get_cached_klist" tries to check if ldap['kerberos_realm'] string appears in the "client" field of the LDAP config. But according to ldap.config "kerberos_realm" is just "1" (presumably the index of the defined realms?). Also is it trying to access a subkey with "ldap['kerberos_realm]['krb_realm']" ? krb_realm does not seem to exist neither in the top-level config nor as a subkey of kerberos_realm.
      Could this be the reason why ticket renewals always fail on my machine?

      Thank you for all your work.

      Attachments

        Attachments

          JEditor

            Activity

              People

                awalker Andrew Walker
                ppascher Pascal Pascher
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: