Unable to create renewable ticket when we switched to a 1.12 KDC

Ishaan Joshi ishaan at cloudera.com
Fri Aug 21 14:51:53 EDT 2015 

Ben, Greg,

   Thanks a bunch for the quick responses. Let me restate the problem we
faced ( which is exactly what Ben described):

    Our earlier behaviour was to issue the following kinit to periodically
renew our daemon's ticket: "kinit -r <time_string> -k -t <keytab>
<service_name>". The time_string was hard coded to a day. The renewal time
was controlled by another option that was passed in.

    When we first ran against a 1.12 KDC, the ticket became non renewable
because the hard coded value for time_string happened to be equal to the
ticket_lifetime in the krb5.conf.

   I have a few follow on questions:

   - Can I assume that our previous behaviour was incorrect, and we just
   got lucky because it was not enforced.
   - Do we need to use the -r flag, given that the ticket is renewed
   periodically.
   - Are there any risks to passing in a value via -l on older KDCs, apart
   from overriding the value in the krb5.conf.

Thanks !

Ishaan

On Thu, Aug 20, 2015 at 10:08 PM, Greg Hudson <ghudson at mit.edu> wrote:

> On 08/20/2015 11:45 PM, Benjamin Kaduk wrote:
> >>   We recently ran into a problem wherein the tickets for out service
> could
> >> not be renewed. After a lot of digging, we traced the change in
> behaviour
> >
> > Can you say more about the problematic behavior you were experiencing?
> My
> > understanding is that the commit you link to was not expected to result
> in
> > any noticable decrease in functionality, so it would be helpful to
> > understand what actually happened.
>
> I think the issue is that if you do something like:
>
>     kinit -l 1d -r 1d princname
>
> you no longer get a renewable ticket.  Then, when you go to renew the
> ticket, you get an error.  Although there's no practical reason (that I
> know of) to renew tickets without extending their lifetimes, I could see
> this situation arising as an edge case in some kinds of scripts.  I
> didn't anticipate that possibility when making the KDC change in 1.12.
>

More information about the Kerberos mailing list