max ticket/renew appears to not work in 1.7.1?

Kevin Longfellow klongfel at yahoo.com
Mon Mar 15 10:23:01 EDT 2010 

Hi,

We are working on setting up a very large Kerberos environment and recently changed to 1.7.1 with a ldap back end for our testing.  Since two things changed from our previous test environment, I'm not sure what might be the cause of user tickets not getting the requested max lifetime and max renewable?  Our previous test environment was 1.7 with the local database option.

I'll try and list some things that might be relevant:

kadmin.local:  getprinc krbtgt/DEV.COMPANY.COM at DEV.COMPANY.COM
Principal: krbtgt/DEV.COMPANY.COM at DEV.COMPANY.COM
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 90 days 00:00:00
Maximum renewable life: 90 days 00:00:00
Last modified: Tue Mar 09 13:49:21 PST 2010 (root/admin at DEV.COMPANY.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 5
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, Version 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1, Version 5
Key: vno 1, ArcFour with HMAC/md5, Version 5
MKey: vno 1
Attributes:
Policy: [none]

[klongfel at klongfel-ovs3 ~]$ kinit -l 90d -r 90d
Password for klongfel at DEV.COMPANY.COM:
[klongfel at klongfel-ovs3 ~]$ klist -face
Ticket cache: FILE:/tmp/krb5cc_16620
Default principal: klongfel at DEV.COMPANY.COM

Valid starting     Expires            Service principal
03/15/10 10:11:06  03/16/10 10:11:06  krbtgt/DEV.COMPANY.COM at DEV.COMPANY.COM
        renew until 03/22/10 10:11:06, Flags: RI
        Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC 
        Addresses: (none)


Kerberos 4 ticket cache: /tmp/tkt16620
klist: You have no tickets cached

kadmin.local:  getprinc klongfel
Principal: klongfel at DEV.COMPANY.COM
Expiration date: [never]
Last password change: Thu Mar 11 12:45:54 PST 2010
Password expiration date: [none]
Maximum ticket life: 90 days 00:00:00
Maximum renewable life: 90 days 00:00:00
Last modified: Thu Mar 11 12:45:54 PST 2010 (root/admin at DEV.COMPANY.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DES cbc mode with CRC-32, Version 5
MKey: vno 1
Attributes:
Policy: [none]

[kdcdefaults]
        kdc_ports = 750,88
        clockskew = 3600

[realms]
        DEV.COMPANY.COM = {
                acl_file = /opt/krb5_local/var/krb5kdc/kadm5.acl
                kdc_ports = 750,88
                max_life = 90d 0h 0m 0s
                max_renewable_life =  90d 0h 0m 0s
        }

What am I missing, can check, or read to ensure we can get higher ticket and renew lifetimes?

Thanks for any help with this,

Kevin

More information about the Kerberos mailing list