sssd-kcm renews but klist doesn't show/apply new ticket

[rheaalleen]

I know renewals are possible without kcm but I was looking into it with a test client.

Configs:

krb5c.conf

[libdefaults]
      default_realm = DOMAIN.HOME
      dns_lookup_realm = false
      rdns = false
      dns_canonicalize_hostname = false
      dns_lookup_kdc = true
      ticket_lifetime = 10m
      forwardable = true
      udp_preference_limit = 0
      default_ccache_name = KCM:%{uid}
      kcm_socket = /var/run/.heim_org.h5l.kcm-socket
      #krb5_renewable_lifetime = 10m
      #krb5_renew_interval = 60s

sssd.conf

[kcm]
    tgt_renewal = true
    krb5_renew_interval = 1m
    krb5_renewable_lifetime = 10m
    debug_level = 10

During the minute interval it shows

[kcm_renew_all_tgts] (0x0400): Checking ccache [1098600003] for creds to renew
    [kcm_creds_check_times] (0x2000): Time not applicable

When its time do renew I would understand the logs that they are running the renew

(2024-02-03 14:41:59): [kcm] [setup_client_idle_timer] (0x4000): Idle timer re-s - Pastebin.com

Pastebin.com is the number one paste tool since 2002. Pastebin is a website where you can store text online for a set period of time.

pastebin.com

Checking klist after that still shows the old and now invalid ticket.

I´ve checked the KCM socket, path for krb/kcm/ssd (if applicable) all poin towards /var/run/.heim_org.h5l.kcm-socket.

All services running without fault, installed new keytab to client, rebooted. sssctl shows online status

Other, maybe related log entries (not sure):

sssd_domain.home.log

[sssd_async_socket_init_done] (0x0040): [RID#16] sdap_async_sys_connect request failed: [113]: No route to host.

sssd_nss.log

[nss] [cache_req_common_process_dp_reply] (0x3f7c0): [CID#3] CR #2: Could not get account info [1432158212]: SSSD is offline