klist not showing tgt after reboot

Thanks for taking the time to report a bug and make Ubuntu better.

I tried reproducing the problem here but it seems there's something I'm missing. I have a Samba AD DC setup (running Focal, but that shouldn't matter) and I setup a Bionic client. I then obtained a ticket using "kinit", verified that the ticket is listed using "klist", and then reboot the VM. When it came back online, the ticket was gone. The same behaviour happens if I setup a Focal client, BTW.

I may be wrong, but looking at the ticket you got on the Bionic machine it seems to me that there's some extra configuration in your /etc/krb5.conf that may be causing this behaviour.

Would it be possible for you to come up with a step-by-step reproducer for this problem, please?

Thanks in advance.

Hello Sergio,

thanks for your help.

I can do that. I will explain a step by step procedure for my setup. Also i attach a file with anonymised krb5.conf, realmd.conf and sssd.conf

We have a ActiveDirectory Domain which is controlled by multiple Domaincontrollers. We attach some of our Linuxserver to AD to control by AD-Group who can access and sudo on this linuxmachines. In my conf files the domain is simple called domain.de|DOMAIN.DE

- starting point is a fresh installed Ubuntu 18.04 or 22.04 LTS with a lokal admin. this lokal admin is used to initiate the AD Connection. Basically i followed this tutorial: https://schroeffu.ch/2019/09/linux-active-directory-ldap-ssh-login-mit-sssd-und-realmd/

- Installation:
apt install realmd sssd sssd-tools samba-common krb5-user packagekit samba-common-bin samba-libs adcli

- please see attached krb5.conf, realmd.conf

- now i get a tgt with kinit using my AD-Domainadmincredentials
kinit <email address hidden>

- joining Domain
realm --verbose join DOMAIN.DE -U <email address hidden>

- at this point we are part of domain and after domainsync every user in group LinuxAdmins can login by ssh. making sudo is allowed by a config in /etc/sudoers.d/ which contains
%LinuxAdmins ALL=(ALL:ALL) ALL

Now i use a unprivileged domainuser which is part of AD-group LinuxAdmins
For fast login i use a key-pair for this user to login as unprivileged user. So i log in by ssh-keys and do a "sudo -i" to stay permanent root. Now sssd works and checks my AD-Data/Passwort. iam allowed to do sudo and now iam root user. klist now shows a valid tgt and klist -ekt shows valid KVNO, Timestamp and Principal

Now i do the same on Ubuntu 22, all steps/configs identical except a line in sssd.conf (see comment in first section) because services use other startup.
On ubuntu 22 i use my unprivilged user to login by ssh-keys then doing "sudo -i" and klist says:
klist: No credentials cache found (filename: /tmp/krb5cc_0)
a file /tmp/krb5cc_0 is not existent but i see a file /tmp/krb5cc_27465975_nGySkP which is owned by my unprivilged username but not used by klist. May be the problem is in the sudo environment.

In Ubuntu 22 i see a valid tgt by klist only if i do every login by hand and dont use a ssh key. but this was working in ubuntu 18 and i liked the way, because i hop on a lot of servers every day and first login by ssh-key is very comfy.
May be this is only a small bug in this particular case, but i want to make sure that my services still work after some time, because the existing keytab can used for other purposes like authentication by apache-webserver too and i dont want them to be harmed by this issue.

Thanks for your help,
Hans

realmd.conf

sssd.conf

Hello Sergio,

do you have conceived an opinion on this issue?

Thanks,
Hajo

Hi Hajo,

Sorry for the delay; I've been traveling and in work meetings for the past weeks. I will take a closer look at the information you provided and try to reproduce the problem. I'll get back to you when I have more results.

Thanks.