Why doesn't kinit -r work?
shuaijie wang
wangshuaijie at gmail.com
Mon May 7 03:18:36 EDT 2012
I configured a krb5 server, and want to get a renewable TGT, the server
configure is as follows:
kdc.conf:
[realms]
WSJ.PLATFORM.COM = {
kadmind_port = 749
database_name = /usr/local/var/krb5kdc/principal
admin_keytab = FILE:/usr/local/var/krb5kdc/kadm5.keytab
acl_file = /usr/local/var/krb5kdc/kadm5.acl
key_stash_file = /usr/local/var/krb5kdc/.k5.WSJ.PLATFORM.COM
max_life = 10h 0m 0s
max_renewable_life = 20h 0m 0s
master_key_type = des-cbc-crc
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:afs3
default_principal_flags = +renewable
}
You see that this kdc does allow renewable ticket, then I used kinit to
obtain a renewable ticket:
kinit -l 30m -r 60m
Then I use klist to check the TGT I just got:
sjwang at delgpu2-395: klist
Ticket cache: FILE:/tmp/krb5cc_34252
Default principal: sjwang at WSJ.PLATFORM.COM
Valid starting Expires Service principal
05/07/12 03:12:44 05/07/12 03:42:42 krbtgt/
WSJ.PLATFORM.COM at WSJ.PLATFORM.COM
renew until 05/07/12 03:12:44
sjwang at delgpu2-396:
We see that option "-l 30m" works correctly since the TGT will expire 30m
later, but the renew until time is the same with the valid starting time,
meaning that this ticket is not renewable? I am rather confused, I've
checked everything in krb5 admin manual, and can't find why, can anyone
tell me how to set up and get a renewable ticket? Thank you.
More information about the Kerberos
mailing list