Renewable Tickets

Phil Dibowitz phil at usc.edu
Mon Oct 25 15:02:20 EDT 2004 

So I have a kerberos realm. The KDC allows renewable tickets, but I
can't get a ticket with a renewable time longer than 0 seconds.

My kdc.conf has (among other things):

                 max_life = 10h 0m 0s
                 max_renewable_life = 7d 0h 0m 0s
                 default_principal_flags = +forwardable,+renewable

My krb5.conf originally had:

    [appdefaults]
         kinit = {
                 renewable = true
                 forwardable = true
         }

as well as:

    [libdefaults]
         ticket_lifetime = 600
         default_realm = ISD.USC.EDU
     ...

But according to the man page, you can put a "renew_lifetime" in the
libdefaults section which defaults to 0 -- bingo! right? So I changed
the libdefaults section to:

    [libdefaults]
         ticket_lifetime = 600
         renew_lifetime = 700
         default_realm = ISD.USC.EDU
     ...

But that broke things:

    [phil at frantic phil]$ kinit
    kinit(v5): Invalid argument while getting initial credentials

I tried various other values for renew_lifetime: 1, 4, 300, 400, 1200. I also
tried taking these completely out and using "kinit -r 10d" which gives me a
renewable lifetime of 0 seconds as well.

If I put renew_lifetime in the appdefaults section, it appears to get
ignored. I also tried taking the "kinit = {" part out and having
appdefaults be global, but that didn't work either.

It is noteworthy that a "kinit -r 7:0:0" (or even a "kinit -r 30:00") 
still gets a renewal time of 0, despite it being a "renewable"
ticket:

Valid starting     Expires            Service principal
07/20/04 14:02:36  07/21/04 00:02:36  krbtgt/ISD.USC.EDU at ISD.USC.EDU
         renew until 07/20/04 14:02:36, Flags: RI

Which leads me to believe its a kdc.conf problem not a krb5.conf
problem. However max_renewable_life is the only config I can find in
the man page that is applicable.

It's an MIT Kerberos V KDC (1.3.1) on Solaris 8 with Solaris 8 and 9 clients
(also using MIT kerb).

Thoughts, suggestions, or comments appreciated.

-- 
Phil Dibowitz
Systems Architect and Administrator
Enterprise Infrastructure / ISD / USC
UCC 174 - 213-821-5427

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20041025/8727441b/attachment.bin

More information about the Kerberos mailing list