Renewable Tickets

Eric Andresen eandres at
Mon Oct 25 16:55:52 EDT 2004

On Mon, 2004-10-25 at 13:35, Phil Dibowitz wrote:
> On Mon, Oct 25, 2004 at 01:28:32PM -0700, Eric Andresen wrote:
> > 
> > Try adding this small patch to your krb5 distribution -- it enables
> > kinit to look up default values for lifetime, renew lifetime, and
> > forwardable from the kinit and libdefaults sections.
> I'm happy to try a patch -- but if I understand the above (which I interpret
> as "adds support to kinit for reading libdefaults attributes from"),
> if that was the problem, wouldn't "kinit -r 7d" work? Since that fails to
> work, I'm not understanding why adding this support would solve the problem
> (although it's a useful feature, and a good patch to have...).
> Am I missing something?
> That probably sounds a lot like biting the hand that feeds me -- and I'm
> really trying not to -- I just want to fully understand.
> Thanks for everyone's help.

First, I'd like to mention I was mistaken when I said the 'libdefaults'
section, I meant 'appdefaults', such as:

 ticket_lifetime = 30days
 renew_lifetime = 180days

or alternatively, within a 'kinit' subgroup.

That said, I'm not quite sure why renewals are not working for you with
your current settings; I believe that it may have to do with your
default principal flags.

 The default for default_principal_flags is for postdateable,
forwardable, tgt-based, renewable, proxiable, dup-skey,  allow-tickets, 
and service to be enabled, and all others to be disabled.

You may wish to play with toggling some of the values that differ from
your user-defined value for these and see if it helps at all. A quick
glance at the kadm5 code shows that the user supplied doesn't get
combined with the defaults, just overrides them entirely, so this might
be of interest to you.

   Eric Andresen
   Systems Administrator
   Mars Space Flight Facility
   Arizona State University
   eandres at
   (480) 727-8471

More information about the Kerberos mailing list