Why doesn't kinit -r work?

Greg Hudson ghudson at MIT.EDU
Mon May 7 10:48:27 EDT 2012


On 05/07/2012 03:18 AM, shuaijie wang wrote:
> We see that option "-l 30m" works correctly since the TGT will expire 30m
> later, but the renew until time is the same with the valid starting time,
> meaning that this ticket is not renewable? I am rather confused, I've
> checked everything in krb5 admin manual, and can't find why, can anyone
> tell me how to set up and get a renewable ticket? Thank you.

The maximum renewable lifetime of a ticket granted by an AS request is
affected by four factors:

  (1) The request's renew-until date
  (2) The client principal's maximum renewable life
  (3) The server principal's maximum renewable life
  (4) The realm's configured maximum renewable life

You've got (1) and (4) covered, but probably not (2) and/or (3).  So,
check the maximum renewable lifetimes on the client and on the krbtgt
database entries:

$ kadmin
[...]
kadmin:  getprinc user
[...]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
[...]
kadmin:  getprinc krbtgt/KRBTEST.COM
[...]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
[...]
kadmin:  modprinc -maxrenewlife "20 hours" krbtgt/KRBTEST.COM
Principal "krbtgt/KRBTEST.COM at KRBTEST.COM" modified.
kadmin:  modprinc -maxrenewlife "20 hours" user
Principal "user at KRBTEST.COM" modified.


More information about the Kerberos mailing list