kinit max lifetime not working

David Botsch dwb7 at ccmr.cornell.edu
Thu Jun 3 18:02:15 EDT 2004 

Hi. Running rh7.3, krb5-1.2.4-11 rpms.

I cannot get the kerberos maxlifetime to work.

In /etc/krb5.conf:

[libdefaults]
 ticket_lifetime = 2592000

[appdefaults]
 pam = {
   debug = true
   ticket_lifetime = 2592000
   renew_lifetime = 2592000

I have also messed with the lifetime of the principals:

kadmin.local:  getprinc bozo
Principal: bozo at CCMR.CORNELL.EDU
Expiration date: Wed Dec 30 19:00:00 EST 2037
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 30 days 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jun 03 17:59:15 EDT 2004 (root/admin at CCMR.CORNELL.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 0, DES cbc mode with CRC-32, AFS version 3
Attributes:
Policy: [none]

kadmin.local:  getprinc krbtgt/CCMR.CORNELL.EDU
Principal: krbtgt/CCMR.CORNELL.EDU at CCMR.CORNELL.EDU
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 30 days 00:00:00
Maximum renewable life: 30 days 00:00:00
Last modified: Thu Jun 03 17:12:48 EDT 2004 (root/admin at CCMR.CORNELL.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD4, no salt
Key: vno 1, DES cbc mode with RSA-MD5, no salt
Attributes:
Policy: [none]


so, let's try a kinit:
bee:~> kinit -l5days
Password for bozo at CCMR.CORNELL.EDU: 
bee:~> klist
Ticket cache: FILE:/tmp/krb5cc_252_NXXrfV
Default principal: bozo at CCMR.CORNELL.EDU

Valid starting     Expires            Service principal
06/03/04 18:00:01  06/04/04 18:00:01  krbtgt/CCMR.CORNELL.EDU at CCMR.CORNELL.EDU


Kerberos 4 ticket cache: /tmp/tkt252_epz0nn
klist: You have no tickets cached


as you can see, my kerberos ticket is not good for 5 days.

Is there some setting I am missing someplace? Is something just broken?

Thanks!
-Dave Botsch
dwb7 at ccmr.cornell.edu

More information about the Kerberos mailing list