Open tiran opened 7 years ago
It looks like GSSAPI does not auto-refresh a TGT with client keytab when the TGT is expired:
2017-04-13 13:38:12 - custodia - Custodia debug logger enabled 2017-04-13 13:38:12 - custodia - Custodia audit log: /tmp/audit.log 2017-04-13 13:38:12 - custodia - Config file <closed file 'custodia.conf', mode 'r' at 0x7f025fc29660> loaded 2017-04-13 13:38:13 - IPAInterface-[auth:ipa] - Unable to get principal from GSSAPI. Are you missing a TGT or valid Kerberos keytab? Traceback (most recent call last): File "/tmp/venv/bin/custodia", line 11, in <module> sys.exit(main()) File "/tmp/venv/lib/python2.7/site-packages/custodia/server/__init__.py", line 211, in main _load_plugins(config, cfgparser) File "/tmp/venv/lib/python2.7/site-packages/custodia/server/__init__.py", line 191, in _load_plugins raise RuntimeError(menu, name, e) RuntimeError: ('authenticators', 'ipa', CCacheError(u'Major (720896): The referenced credential has expired, Minor (100001): Success',)) $ klist Ticket cache: FILE:/tmp/ccache Default principal: custodia/client1.ipa.example@IPA.EXAMPLE Valid starting Expires Service principal 2017-04-12 13:07:18 2017-04-13 13:07:18 krbtgt/IPA.EXAMPLE@IPA.EXAMPLE 2017-04-12 13:07:39 2017-04-13 13:07:18 HTTP/master.ipa.example@IPA.EXAMPLE
The TGT is acquired with ipalib.krb_utils.get_principal() using KRB5_CLIENT_KTNAME. The function calls gssapi.Credentials(usage='initiate', name=None, store=None).
ipalib.krb_utils.get_principal()
KRB5_CLIENT_KTNAME
gssapi.Credentials(usage='initiate', name=None, store=None)
It looks like GSSAPI does not auto-refresh a TGT with client keytab when the TGT is expired: