Project

General

Profile

Bug #11262

Active Directory won't re-start if krb5 ticket expires

Added by DENNY VANDEMAELE about 5 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Important
Assignee:
John Hixson
Category:
OS
Target version:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

I did some testing today of restarting FreeNAS Active Directory and it would not restart.

The FreeNAS server had an uptime of 8 days, 23 hours.

While trying to diagnose it, I noticed that the krb5 ticket was expired:

---------
[root@freenas2] ~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal:

Issued           Expires        Principal
Aug 29 10:30:00 >>>Expired<<<

I moved the ticket to a backup and tried starting A/D and it started right up.

This happened on my TrueNAS as well as a FreeNAS nightly. Note that a reboot also fixes the issue.

I guess this would go unnoticed for most people as they wouldn't likely restart Active Directory.

History

#1 Updated by John Hixson about 5 years ago

  • Status changed from Unscreened to Screened
  • Priority changed from No priority to Important
  • Target version set to 261

#2 Updated by John Hixson about 5 years ago

Until I fix this (I haven't yet been able to reproduce it), you can work around it by going to the command line and typing "kdestroy".

#3 Updated by DENNY VANDEMAELE about 5 years ago

Thanks John,

This morning when I came in I shelled to each of my True/FreeNAS servers and found 2 of them with expired tickets by using klist.

I attempted to restart A/D on one of them and it would not, so I used the kdestroy and then it started right up.

I left the other with an expired ticket if you want to take a look.

#4 Updated by John Hixson about 5 years ago

  • Status changed from Screened to 15

DENNY VANDEMAELE wrote:

Thanks John,

This morning when I came in I shelled to each of my True/FreeNAS servers and found 2 of them with expired tickets by using klist.

I attempted to restart A/D on one of them and it would not, so I used the kdestroy and then it started right up.

I left the other with an expired ticket if you want to take a look.

Hi Denny,

I'd love to lake a look. When will you be available? We use teamviewer for doing things like this. So if you don't have it already, please install it. You can send your info to me at

#5 Updated by John Hixson about 5 years ago

  • Status changed from 15 to Investigation

Scheduled for tomorrow at 5pm EST.

#6 Updated by DENNY VANDEMAELE about 5 years ago

Added info, Not sure if this helps:

I knew that this cron job ran every 5 hours: /etc/ix.rc.d/ix-kinit renew

So I did a klist on one of my servers to see when the ticket was issued and when it expires and it came back with Issued 05:30 and expires 11:37.

------------------------
[root@freenas7] ~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal:

Issued           Expires          Principal
Sep 2 05:30:00 Sep 2 11:37:17
------------------------------------------------------------------

So I waited after 10:30 (when the 5 hour ix-renew would kick again) and did another klist (about 1pm):

------------------------
[root@freenas7] ~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal:

Issued           Expires        Principal
Sep 2 10:30:00 >>>Expired<<<
----------------------------------------------------------------

Then I checked the timestamp on /tmp/krb5cc_0 and it was 10:30 when the cron kicked off the ix-renew:

-----------------------------------
[root@freenas7] ~# ll /tmp/krb5cc_0
rw------ 1 root wheel 1297 Sep 2 10:30 /tmp/krb5cc_0
----------------------------------------------------------

#7 Updated by John Hixson about 5 years ago

  • Status changed from Investigation to Ready For Release

Confirmed with Denny that 4c72fe9d2fa45795066cfaa03716edbe3fc19fb1 fixes this issue.

#8 Updated by Jordan Hubbard about 5 years ago

  • Status changed from Ready For Release to Resolved

#9 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

  • Target version changed from 261 to N/A

Also available in: Atom PDF