Renewable Tickets
Phil Dibowitz
phil at usc.edu
Mon Oct 25 15:02:20 EDT 2004
So I have a kerberos realm. The KDC allows renewable tickets, but I
can't get a ticket with a renewable time longer than 0 seconds.
My kdc.conf has (among other things):
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
default_principal_flags = +forwardable,+renewable
My krb5.conf originally had:
[appdefaults]
kinit = {
renewable = true
forwardable = true
}
as well as:
[libdefaults]
ticket_lifetime = 600
default_realm = ISD.USC.EDU
...
But according to the man page, you can put a "renew_lifetime" in the
libdefaults section which defaults to 0 -- bingo! right? So I changed
the libdefaults section to:
[libdefaults]
ticket_lifetime = 600
renew_lifetime = 700
default_realm = ISD.USC.EDU
...
But that broke things:
[phil at frantic phil]$ kinit
kinit(v5): Invalid argument while getting initial credentials
I tried various other values for renew_lifetime: 1, 4, 300, 400, 1200. I also
tried taking these completely out and using "kinit -r 10d" which gives me a
renewable lifetime of 0 seconds as well.
If I put renew_lifetime in the appdefaults section, it appears to get
ignored. I also tried taking the "kinit = {" part out and having
appdefaults be global, but that didn't work either.
It is noteworthy that a "kinit -r 7:0:0" (or even a "kinit -r 30:00")
still gets a renewal time of 0, despite it being a "renewable"
ticket:
Valid starting Expires Service principal
07/20/04 14:02:36 07/21/04 00:02:36 krbtgt/ISD.USC.EDU at ISD.USC.EDU
renew until 07/20/04 14:02:36, Flags: RI
Which leads me to believe its a kdc.conf problem not a krb5.conf
problem. However max_renewable_life is the only config I can find in
the man page that is applicable.
It's an MIT Kerberos V KDC (1.3.1) on Solaris 8 with Solaris 8 and 9 clients
(also using MIT kerb).
Thoughts, suggestions, or comments appreciated.
--
Phil Dibowitz
Systems Architect and Administrator
Enterprise Infrastructure / ISD / USC
UCC 174 - 213-821-5427
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20041025/8727441b/attachment.bin
More information about the Kerberos
mailing list