Renewable Tickets

Eric Andresen eandres at mars.asu.edu
Mon Oct 25 16:55:52 EDT 2004


On Mon, 2004-10-25 at 13:35, Phil Dibowitz wrote:
> On Mon, Oct 25, 2004 at 01:28:32PM -0700, Eric Andresen wrote:
> > 
> > Try adding this small patch to your krb5 distribution -- it enables
> > kinit to look up default values for lifetime, renew lifetime, and
> > forwardable from the kinit and libdefaults sections.
> 
> I'm happy to try a patch -- but if I understand the above (which I interpret
> as "adds support to kinit for reading libdefaults attributes from krb5.com"),
> if that was the problem, wouldn't "kinit -r 7d" work? Since that fails to
> work, I'm not understanding why adding this support would solve the problem
> (although it's a useful feature, and a good patch to have...).
> 
> Am I missing something?
> 
> That probably sounds a lot like biting the hand that feeds me -- and I'm
> really trying not to -- I just want to fully understand.
> 
> Thanks for everyone's help.

First, I'd like to mention I was mistaken when I said the 'libdefaults'
section, I meant 'appdefaults', such as:

[appdefaults]
 ticket_lifetime = 30days
 renew_lifetime = 180days

or alternatively, within a 'kinit' subgroup.

That said, I'm not quite sure why renewals are not working for you with
your current settings; I believe that it may have to do with your
default principal flags.

 The default for default_principal_flags is for postdateable,
forwardable, tgt-based, renewable, proxiable, dup-skey,  allow-tickets, 
and service to be enabled, and all others to be disabled.

You may wish to play with toggling some of the values that differ from
your user-defined value for these and see if it helps at all. A quick
glance at the kadm5 code shows that the user supplied doesn't get
combined with the defaults, just overrides them entirely, so this might
be of interest to you.

HTH,
-- 
   Eric Andresen
   Systems Administrator
   Mars Space Flight Facility
   Arizona State University
   eandres at mars.asu.edu
   (480) 727-8471



More information about the Kerberos mailing list