Strange KDC behaviour about renewable tickets

Mon Mar 10 19:26:16 EST 2003

>>>>> "VT" == Vladimir Terziev <vladimir.terziev at sun-fish.com> writes:

VT> 	I have a MIT Kerberos 5 KDC configured with the following options for our realm:

VT> 	max_life = 15m 0s
VT> 	max_renewable_life = 1h 0m 0s

Did you create the database with these particular options set?

VT> 	When I do ``kinit -r 1h'', ``klist -f'' I see the following:

VT> 	Valid starting     Expires            Service principal
VT>         03/07/03 12:12:32  03/07/03 12:27:32  krbtgt/REALM at REALM
VT>         renew until 03/07/03 12:27:32, Flags: RI

VT> 	After 6 min I do ``kinit -R'', ``klist -f'' I the following is
VT> 	very sgtrange for me:

VT>         Valid starting     Expires            Service principal
VT>         03/07/03 12:18:26  03/07/03 12:27:32  krbtgt/REALM at REALM
VT>         renew until 03/07/03 12:27:32, Flags: RIT

VT> 	Klist shows changed starting time, but the expiration time is the same.

This is not surprising.  The expiration time will not be later than
the "renew until" time.  It looks like the max renewable life is
effectively 15 minutes.

VT> 	Does anybody have an idea about this behaviour of KDC? Is this
VT> 	a bug in KDC or I do someting wrong?

It may be a configuration issue.  Do all the principals involved,
client principal as well as TGT principal, have a max_renewable_life
at least one hour long?  The shortest of these durations will take
effect.

---Tom