Fw: Kerberos Digest, Vol 87, Issue 10

Kevin Longfellow klongfel at yahoo.com
Mon Mar 15 14:13:52 EDT 2010 

RE: max ticket/renew appears to not work in 1.7.1

We found the issue.  The wrong kdc.conf was getting read because of the way I configured the directory structure.

Thanks, Kevin


--- On Mon, 3/15/10, kerberos-request at mit.edu <kerberos-request at mit.edu> wrote:

> From: kerberos-request at mit.edu <kerberos-request at mit.edu>
> Subject: Kerberos Digest, Vol 87, Issue 10
> To: kerberos at mit.edu
> Date: Monday, March 15, 2010, 12:03 PM
> Send Kerberos mailing list
> submissions to
>     kerberos at mit.edu
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>     https://mailman.mit.edu/mailman/listinfo/kerberos
> or, via email, send a message with subject or body 'help'
> to
>     kerberos-request at mit.edu
> 
> You can reach the person managing the list at
>     kerberos-owner at mit.edu
> 
> When replying, please edit your Subject line so it is more
> specific
> than "Re: Contents of Kerberos digest..."
> 
> 
> Today's Topics:
> 
>    1. max ticket/renew appears to not work
> in 1.7.1? (Kevin Longfellow)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Mon, 15 Mar 2010 07:23:01 -0700 (PDT)
> From: Kevin Longfellow <klongfel at yahoo.com>
> Subject: max ticket/renew appears to not work in 1.7.1?
> To: kerberos at mit.edu
> Message-ID: <187655.85206.qm at web53506.mail.re2.yahoo.com>
> Content-Type: text/plain; charset=us-ascii
> 
> 
> Hi,
> 
> We are working on setting up a very large Kerberos
> environment and recently changed to 1.7.1 with a ldap back
> end for our testing.  Since two things changed from our
> previous test environment, I'm not sure what might be the
> cause of user tickets not getting the requested max lifetime
> and max renewable?  Our previous test environment was
> 1.7 with the local database option.
> 
> I'll try and list some things that might be relevant:
> 
> kadmin.local:  getprinc krbtgt/DEV.COMPANY.COM at DEV.COMPANY.COM
> Principal: krbtgt/DEV.COMPANY.COM at DEV.COMPANY.COM
> Expiration date: [never]
> Last password change: [never]
> Password expiration date: [none]
> Maximum ticket life: 90 days 00:00:00
> Maximum renewable life: 90 days 00:00:00
> Last modified: Tue Mar 09 13:49:21 PST 2010 (root/admin at DEV.COMPANY.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 4
> Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC,
> Version 5
> Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC,
> Version 5
> Key: vno 1, Triple DES cbc mode with HMAC/sha1, Version 5
> Key: vno 1, ArcFour with HMAC/md5, Version 5
> MKey: vno 1
> Attributes:
> Policy: [none]
> 
> [klongfel at klongfel-ovs3 ~]$ kinit -l 90d -r 90d
> Password for klongfel at DEV.COMPANY.COM:
> [klongfel at klongfel-ovs3 ~]$ klist -face
> Ticket cache: FILE:/tmp/krb5cc_16620
> Default principal: klongfel at DEV.COMPANY.COM
> 
> Valid starting     Expires   
>         Service principal
> 03/15/10 10:11:06  03/16/10 10:11:06  krbtgt/DEV.COMPANY.COM at DEV.COMPANY.COM
>         renew until 03/22/10 10:11:06,
> Flags: RI
>         Etype (skey, tkt): AES-256 CTS
> mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit
> SHA-1 HMAC 
>         Addresses: (none)
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt16620
> klist: You have no tickets cached
> 
> kadmin.local:  getprinc klongfel
> Principal: klongfel at DEV.COMPANY.COM
> Expiration date: [never]
> Last password change: Thu Mar 11 12:45:54 PST 2010
> Password expiration date: [none]
> Maximum ticket life: 90 days 00:00:00
> Maximum renewable life: 90 days 00:00:00
> Last modified: Thu Mar 11 12:45:54 PST 2010 (root/admin at DEV.COMPANY.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 1, DES cbc mode with CRC-32, Version 5
> MKey: vno 1
> Attributes:
> Policy: [none]
> 
> [kdcdefaults]
>         kdc_ports = 750,88
>         clockskew = 3600
> 
> [realms]
>         DEV.COMPANY.COM = {
>                
> acl_file = /opt/krb5_local/var/krb5kdc/kadm5.acl
>                
> kdc_ports = 750,88
>                
> max_life = 90d 0h 0m 0s
>                
> max_renewable_life =  90d 0h 0m 0s
>         }
> 
> What am I missing, can check, or read to ensure we can get
> higher ticket and renew lifetimes?
> 
> Thanks for any help with this,
> 
> Kevin
> 
> 
>       
> 
> 
> ------------------------------
> 
> _______________________________________________
> Kerberos mailing list
> Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 
> End of Kerberos Digest, Vol 87, Issue 10
> ****************************************
>

More information about the Kerberos mailing list