Strange problem with ticket renewal
Miroslav Zubcic
mvz at crol.net
Mon Apr 1 14:30:16 EST 2002
Nicolas.Williams at ubsw.com (Nicolas Williams) writes:
> Sorry.
>
> Here's the deal: you must get all the little ducks in a row.
:-)
> Specifically, the renewable life is set to be the minimum of:
>
> - the requested renewable life
> - the client principal's max renewable life
Played with that, this was even more confusing, after modifying
principal and getting tickets - like nothing was modified.
> - the service principal's max renewable life
> - the max renewable life for the realm (or one day, if not set)
I think that places on disk where are kdc.conf and krb5.conf are
totaly devasted because of editing. :-)
> The principals' max renewable life times are set in the KDB records with
> kadmin. By default new principals get a max renewable life of 0 if the
> max renewable life for the realm is not set in kdc.conf. The kdb5_util
> utility sets the max renewable life for the TGS the same way.
>
> So, chances are that your krbtgt/<realm>@<realm> has a max renewable
> life time of 0. Fix that, and your users' max renew times and you'll be
> set.
YES! That was a problem. This explanation *must* come in documentation
and FAQ's! There is no explanation for that on google web or groups
and there are couple of questions like my, but without answer!
My krbtgt/CROL.NET at CROL.NET was 10h maxlife and 0 max renewable
date. (exactly that was given by kinit to users) Probably I created
krbtgt in the beggining of setup and defaults in conf files was not
tuned properly yet.
After month and half I _finaly_ solved this annoying problem in 2
minutes! - Thanks to you Nicolas.
Thank you very much Nicolas!
--
This signature intentionally left blank
More information about the Kerberos
mailing list