Help with ticket expiry

Andrew B. Young andrew at an3e.org
Fri Sep 22 13:57:01 EDT 2006 

I've struggled with ticket expiry for > 8 hours now and am asking for 
help.  Google'ing the topic over these archive has led me to try these 
things, but first my setup--

[ayoung:ayoung at ns1 ~]$ uname -a
Linux ns1.an3e.org 2.6.17-1.2157_FC5 #1 ... 2006 i686 i686 i386 GNU/Linux

[ayoung:ayoung at ns1 ~]$ rpm -q -a | grep krb
krb5-server-1.4.3-4.1
krb5-libs-1.4.3-4.1
pam_krb5-2.2.6-2.2

I am trying to increase my expiry from 24h to 72h.

I first edited /etc/krb5.conf *AFTER* creating my principals
Under [libdefaults]
FROM: ticket_lifetime = 24h TO: 72h
And sudo /etc/rc.d/init.d/krb5kdc reload

kdestroy; kinit; klist (for example) doesn't seem to have done much--
[ayoung:ayoung at ayoung-g219 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_25670
Default principal: ayoung at AN3E.ORG
Valid starting     Expires            Service principal
09/22/06 09:44:53  09/23/06 09:44:53  krbtgt/AN3E.ORG at AN3E.ORG

Four hours of googling later--
kadmin: modify_principal -maxlife 72h ayoung

Thirty minutes of googling later--
kadmin:  modify_principal  -maxlife "3 days" ayoung

kadmin:  getprinc ayoung
Principal: ayoung at AN3E.ORG
Expiration date: [never]
Last password change: Mon Jul 31 14:28:45 PDT 2006
Password expiration date: [none]
Maximum ticket life: 3 days 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Fri Sep 22 10:50:36 PDT 2006 (admin/admin at AN3E.ORG)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]

And again for krbtgt--
kadmin:  modify_principal  -maxlife "3 days" krbtgt/AN3E.ORG

But it seems that I still don't have a 3 day ticket--
[ayoung:ayoung at ayoung-g219 ~]$ kdestroy;kinit;klist
Password for ayoung at AN3E.ORG:
Ticket cache: FILE:/tmp/krb5cc_25670
Default principal: ayoung at AN3E.ORG

Valid starting     Expires            Service principal
09/22/06 10:53:48  09/23/06 10:53:48  krbtgt/AN3E.ORG at AN3E.ORG


Kerberos 4 ticket cache: /tmp/tkt25670
klist: You have no tickets cached


 From the posts I've discovered this should be all I need do to increase 
the expire for the principal "ayoung".  Any thoughts? Thanks much!

-Andrew

More information about the Kerberos mailing list