Renewable Tickets

Phil Dibowitz phil at usc.edu
Mon Oct 25 15:52:50 EDT 2004 

On Mon, Oct 25, 2004 at 03:22:23PM -0400, Ken Raeburn wrote:
> On Oct 25, 2004, at 15:02, Phil Dibowitz wrote:
> >    [libdefaults]
> >         ticket_lifetime = 600
> 
> This won't do what you think.  First, we're not parsing 
> "ticket_lifetime", despite having some indications around that we do.  
> Second, the time-interval parsing code requires a unit.  (I think both 
> of these will change in the 1.4 release.)

Thanks for the info, though I don't suspect that's the problem here.

> Try "700s" or "700m".

with: 

[libdefaults]
        ticket_lifetime = 600m
        renew_lifetime = 700d

I get:
[phil at frantic phil]$ kinit
Password for phil at ISD.USC.EDU: 
[phil at frantic phil]$ klist
Ticket cache: FILE:/tmp/krb5cc_36070
Default principal: phil at ISD.USC.EDU

Valid starting     Expires            Service principal
10/25/04 12:49:07  10/25/04 22:49:07  krbtgt/ISD.USC.EDU at ISD.USC.EDU
        renew until 10/25/04 12:49:07
[phil at frantic phil]$ kdestroy 
[phil at frantic phil]$ kinit -r 7d
Password for phil at ISD.USC.EDU: 
[phil at frantic phil]$ klist
Ticket cache: FILE:/tmp/krb5cc_36070
Default principal: phil at ISD.USC.EDU

Valid starting     Expires            Service principal
10/25/04 12:49:36  10/25/04 22:49:36  krbtgt/ISD.USC.EDU at ISD.USC.EDU
        renew until 10/25/04 12:49:36

> Also check the properties on the client and service principals 
> (including the krbtgt principals).  I forget whether max renewable 
> lifetime is one of them, but if it is, it would be set when the 
> principal is created or when you use "modprinc" in kadmin, and the 
> config file specifications won't extend it, only (potentially) further 
> limit it.

You had me all excited for a minute... but no:

kadmin:  getprinc phil
...
Maximum renewable life: 7 days 00:00:00

=(
-- 
Phil Dibowitz
Systems Architect and Administrator
Enterprise Infrastructure / ISD / USC
UCC 174 - 213-821-5427

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20041025/97a652eb/attachment.bin

More information about the Kerberos mailing list