kinit max lifetime not working
David Botsch
dwb7 at ccmr.cornell.edu
Thu Jun 3 18:02:15 EDT 2004
Hi. Running rh7.3, krb5-1.2.4-11 rpms.
I cannot get the kerberos maxlifetime to work.
In /etc/krb5.conf:
[libdefaults]
ticket_lifetime = 2592000
[appdefaults]
pam = {
debug = true
ticket_lifetime = 2592000
renew_lifetime = 2592000
I have also messed with the lifetime of the principals:
kadmin.local: getprinc bozo
Principal: bozo at CCMR.CORNELL.EDU
Expiration date: Wed Dec 30 19:00:00 EST 2037
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 30 days 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jun 03 17:59:15 EDT 2004 (root/admin at CCMR.CORNELL.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 0, DES cbc mode with CRC-32, AFS version 3
Attributes:
Policy: [none]
kadmin.local: getprinc krbtgt/CCMR.CORNELL.EDU
Principal: krbtgt/CCMR.CORNELL.EDU at CCMR.CORNELL.EDU
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 30 days 00:00:00
Maximum renewable life: 30 days 00:00:00
Last modified: Thu Jun 03 17:12:48 EDT 2004 (root/admin at CCMR.CORNELL.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with RSA-MD4, no salt
Key: vno 1, DES cbc mode with RSA-MD5, no salt
Attributes:
Policy: [none]
so, let's try a kinit:
bee:~> kinit -l5days
Password for bozo at CCMR.CORNELL.EDU:
bee:~> klist
Ticket cache: FILE:/tmp/krb5cc_252_NXXrfV
Default principal: bozo at CCMR.CORNELL.EDU
Valid starting Expires Service principal
06/03/04 18:00:01 06/04/04 18:00:01 krbtgt/CCMR.CORNELL.EDU at CCMR.CORNELL.EDU
Kerberos 4 ticket cache: /tmp/tkt252_epz0nn
klist: You have no tickets cached
as you can see, my kerberos ticket is not good for 5 days.
Is there some setting I am missing someplace? Is something just broken?
Thanks!
-Dave Botsch
dwb7 at ccmr.cornell.edu
More information about the Kerberos
mailing list