[Bug 1988144] Re: klist not showing tgt after reboot

Thu Sep 1 07:43:56 UTC 2022

Hello Sergio,

thanks for your help.

I can do that. I will explain a step by step procedure for my setup.
Also i attach a file with anonymised krb5.conf, realmd.conf and
sssd.conf

We have a ActiveDirectory Domain which is controlled by multiple
Domaincontrollers. We attach some of our Linuxserver to AD to control by
AD-Group who can access and sudo on this linuxmachines. In my conf files
the domain is simple called domain.de|DOMAIN.DE

- starting point is a fresh installed Ubuntu 18.04 or 22.04 LTS with a
lokal admin. this lokal admin is used to initiate the AD Connection.
Basically i followed this tutorial: https://schroeffu.ch/2019/09/linux-
active-directory-ldap-ssh-login-mit-sssd-und-realmd/

- Installation:
apt install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli

- please see attached krb5.conf, realmd.conf

- now i get a tgt with kinit using my AD-Domainadmincredentials
kinit myusername at DOMAIN.DE

- joining Domain
realm --verbose join DOMAIN.DE -U myusername at DOMAIN.DE

- at this point we are part of domain and after domainsync every user in group LinuxAdmins can login by ssh. making sudo is allowed by a config in  /etc/sudoers.d/ which contains 
%LinuxAdmins ALL=(ALL:ALL) ALL

Now i use a unprivileged domainuser which is part of AD-group LinuxAdmins 
For fast login i use a key-pair for this user to login as unprivileged user. So i log in by ssh-keys and do a "sudo -i" to stay permanent root. Now sssd works and checks my AD-Data/Passwort. iam allowed to do sudo and now iam root user. klist now shows a valid tgt and klist -ekt shows valid KVNO, Timestamp and  Principal

Now i do the same on Ubuntu 22, all steps/configs identical except a line in sssd.conf (see comment in first section) because services use other startup.
On ubuntu 22 i use my unprivilged user to login by ssh-keys then doing "sudo -i" and klist says:
klist: No credentials cache found (filename: /tmp/krb5cc_0)
a file /tmp/krb5cc_0 is not existent but i see a file /tmp/krb5cc_27465975_nGySkP which is owned by my unprivilged username but not used by klist. May be the problem is in the sudo environment. 

In Ubuntu 22 i see a valid tgt by klist only if i do every login by hand and dont use a ssh key. but this was working in ubuntu 18 and i liked the way, because i hop on a lot of servers every day and first login by ssh-key is very comfy.
May be this is only a small bug in this particular case, but i want to make sure that my services still work after some time, because the existing keytab can used for other purposes like authentication by apache-webserver too and i dont want them to be harmed by this issue.

Thanks for your help,
Hans

** Attachment added: "krb5.conf"
   https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1988144/+attachment/5612836/+files/krb5.conf

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1988144

Title:
  klist not showing tgt after reboot

Status in krb5 package in Ubuntu:
  Incomplete

Bug description:
  Hello,

  iam not sure if this is a bug, but iam noticed a different behaviour of kinit/klist between Ubuntu 18.04 and 22.04
  I already talked to sam hartman who is maintainer of krb5 packages at debian and he told that basically there is no difference between different version of kinit/klist and one should dig in Ubuntu environment.
  Let me decribe the notice:

  We use kinit/klist/krb5 keytab as base for sssd and ssh access
  controlled by AD.

  In Ubuntu 18.04 LTS i could do:
  "kinit myprincipal" and created a valid tgt. This tgt was stable and survived a reboot which can be viewed by "klist".
  I log in as unprivileged user, doing "sudo -i" and see:

  myhost: # klist
  Ticket cache: FILE:/tmp/krb5cc_27465975_uqBiyq

  File /tmp/krb5cc_27465975_uqBiyq is existent and owned by my unprivileged username and group domainusers.
  Ubuntu 18.04 LTS is using 1.16-2ubuntu0.2 of krb5-user. i have to say, that first login as unprivileged user is done by using ssh-keypair, so no sssd is involved. But by using "sudo -i" sssd is used and worked like expected.

  Now we switched to Ubuntu 22.04 LTS, Version of krb5-user is 1.19.2-2
  Doing kinit myprincipal on 22.04 leads to:
  myhost: #  klist
  Ticket cache: FILE:/tmp/krb5cc_0

  File /tmp/krb5cc_0 is owned by root:root

  After reboot i can still login successful as unprivileged user make
  "sudo -i" and klist says:

  myhost: # klist
  klist: No credentials cache found (filename: /tmp/krb5cc_0

  File /tmp/krb5cc_0 is gone (deleted from unknown), but i see a file /tmp/krb5cc_27465975_nGySkP which is owned by my unprivileged username and group is domainusers.
   is this expected? It seems that newer klist always wants to use the default name /tmp/krb5cc_0. It creates tgt with this name and tries to read this filename. but after reboot file is recreated with different name and default klist command fails. First login as unprivilged user was done with ssh-keypair without sssd, but "sudo -i" uses sssd agin. Whole thing only works like in 18.04 if you dont use ssh-keypairs and do all logins by hand with manually login, so sssd is forced to use in every step.

  What do you think? Is this a bug or wrong use? Behaviour of 18.04 was
  absolutely satisfying.

  Thanks,
  Hans

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1988144/+subscriptions