Fw: Kerberos Digest, Vol 87, Issue 10
Kevin Longfellow
klongfel at yahoo.com
Mon Mar 15 14:13:52 EDT 2010
RE: max ticket/renew appears to not work in 1.7.1
We found the issue. The wrong kdc.conf was getting read because of the way I configured the directory structure.
Thanks, Kevin
--- On Mon, 3/15/10, kerberos-request at mit.edu <kerberos-request at mit.edu> wrote:
> From: kerberos-request at mit.edu <kerberos-request at mit.edu>
> Subject: Kerberos Digest, Vol 87, Issue 10
> To: kerberos at mit.edu
> Date: Monday, March 15, 2010, 12:03 PM
> Send Kerberos mailing list
> submissions to
> kerberos at mit.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mailman.mit.edu/mailman/listinfo/kerberos
> or, via email, send a message with subject or body 'help'
> to
> kerberos-request at mit.edu
>
> You can reach the person managing the list at
> kerberos-owner at mit.edu
>
> When replying, please edit your Subject line so it is more
> specific
> than "Re: Contents of Kerberos digest..."
>
>
> Today's Topics:
>
> 1. max ticket/renew appears to not work
> in 1.7.1? (Kevin Longfellow)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 15 Mar 2010 07:23:01 -0700 (PDT)
> From: Kevin Longfellow <klongfel at yahoo.com>
> Subject: max ticket/renew appears to not work in 1.7.1?
> To: kerberos at mit.edu
> Message-ID: <187655.85206.qm at web53506.mail.re2.yahoo.com>
> Content-Type: text/plain; charset=us-ascii
>
>
> Hi,
>
> We are working on setting up a very large Kerberos
> environment and recently changed to 1.7.1 with a ldap back
> end for our testing. Since two things changed from our
> previous test environment, I'm not sure what might be the
> cause of user tickets not getting the requested max lifetime
> and max renewable? Our previous test environment was
> 1.7 with the local database option.
>
> I'll try and list some things that might be relevant:
>
> kadmin.local: getprinc krbtgt/DEV.COMPANY.COM at DEV.COMPANY.COM
> Principal: krbtgt/DEV.COMPANY.COM at DEV.COMPANY.COM
> Expiration date: [never]
> Last password change: [never]
> Password expiration date: [none]
> Maximum ticket life: 90 days 00:00:00
> Maximum renewable life: 90 days 00:00:00
> Last modified: Tue Mar 09 13:49:21 PST 2010 (root/admin at DEV.COMPANY.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 4
> Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC,
> Version 5
> Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC,
> Version 5
> Key: vno 1, Triple DES cbc mode with HMAC/sha1, Version 5
> Key: vno 1, ArcFour with HMAC/md5, Version 5
> MKey: vno 1
> Attributes:
> Policy: [none]
>
> [klongfel at klongfel-ovs3 ~]$ kinit -l 90d -r 90d
> Password for klongfel at DEV.COMPANY.COM:
> [klongfel at klongfel-ovs3 ~]$ klist -face
> Ticket cache: FILE:/tmp/krb5cc_16620
> Default principal: klongfel at DEV.COMPANY.COM
>
> Valid starting Expires
> Service principal
> 03/15/10 10:11:06 03/16/10 10:11:06 krbtgt/DEV.COMPANY.COM at DEV.COMPANY.COM
> renew until 03/22/10 10:11:06,
> Flags: RI
> Etype (skey, tkt): AES-256 CTS
> mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit
> SHA-1 HMAC
> Addresses: (none)
>
>
> Kerberos 4 ticket cache: /tmp/tkt16620
> klist: You have no tickets cached
>
> kadmin.local: getprinc klongfel
> Principal: klongfel at DEV.COMPANY.COM
> Expiration date: [never]
> Last password change: Thu Mar 11 12:45:54 PST 2010
> Password expiration date: [none]
> Maximum ticket life: 90 days 00:00:00
> Maximum renewable life: 90 days 00:00:00
> Last modified: Thu Mar 11 12:45:54 PST 2010 (root/admin at DEV.COMPANY.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 1, DES cbc mode with CRC-32, Version 5
> MKey: vno 1
> Attributes:
> Policy: [none]
>
> [kdcdefaults]
> kdc_ports = 750,88
> clockskew = 3600
>
> [realms]
> DEV.COMPANY.COM = {
>
> acl_file = /opt/krb5_local/var/krb5kdc/kadm5.acl
>
> kdc_ports = 750,88
>
> max_life = 90d 0h 0m 0s
>
> max_renewable_life = 90d 0h 0m 0s
> }
>
> What am I missing, can check, or read to ensure we can get
> higher ticket and renew lifetimes?
>
> Thanks for any help with this,
>
> Kevin
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Kerberos mailing list
> Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> End of Kerberos Digest, Vol 87, Issue 10
> ****************************************
>
More information about the Kerberos
mailing list