Renewable Tickets
Eric Andresen
eandres at mars.asu.edu
Mon Oct 25 16:55:52 EDT 2004
On Mon, 2004-10-25 at 13:35, Phil Dibowitz wrote:
> On Mon, Oct 25, 2004 at 01:28:32PM -0700, Eric Andresen wrote:
> >
> > Try adding this small patch to your krb5 distribution -- it enables
> > kinit to look up default values for lifetime, renew lifetime, and
> > forwardable from the kinit and libdefaults sections.
>
> I'm happy to try a patch -- but if I understand the above (which I interpret
> as "adds support to kinit for reading libdefaults attributes from krb5.com"),
> if that was the problem, wouldn't "kinit -r 7d" work? Since that fails to
> work, I'm not understanding why adding this support would solve the problem
> (although it's a useful feature, and a good patch to have...).
>
> Am I missing something?
>
> That probably sounds a lot like biting the hand that feeds me -- and I'm
> really trying not to -- I just want to fully understand.
>
> Thanks for everyone's help.
First, I'd like to mention I was mistaken when I said the 'libdefaults'
section, I meant 'appdefaults', such as:
[appdefaults]
ticket_lifetime = 30days
renew_lifetime = 180days
or alternatively, within a 'kinit' subgroup.
That said, I'm not quite sure why renewals are not working for you with
your current settings; I believe that it may have to do with your
default principal flags.
The default for default_principal_flags is for postdateable,
forwardable, tgt-based, renewable, proxiable, dup-skey, allow-tickets,
and service to be enabled, and all others to be disabled.
You may wish to play with toggling some of the values that differ from
your user-defined value for these and see if it helps at all. A quick
glance at the kadm5 code shows that the user supplied doesn't get
combined with the defaults, just overrides them entirely, so this might
be of interest to you.
HTH,
--
Eric Andresen
Systems Administrator
Mars Space Flight Facility
Arizona State University
eandres at mars.asu.edu
(480) 727-8471
More information about the Kerberos
mailing list