max_life problem
Александр Баранин
avbaranin at gmail.com
Mon Aug 1 04:29:15 EDT 2016
Hello!
I use mit kerberos, version krb5-1.14.2, compiled from source.
And I can't to force kdc to issue tickets for more than 10 hours.
This is part of my krb5.conf:
[libdefaults]
default_realm = ALFA.IT
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_canonicalize_hostname = false
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
ticket_lifetime = 1d 0h 0m 0s
renew_lifetime = 14d 1h 0m 0s
This is part of my kdc.conf:
[realms]
ALFA.IT = {
database_module = LDAP
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 1d 0h 0m 0s
max_renewable_life = 14d 1h 0m 0s
Here are my tests:
root at debian:/etc/krb5kdc# kinit -l "9h"
Password for root at ALFA.IT:
root at debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root at ALFA.IT
Valid starting Expires Service principal
08/01/2016 11:19:12 08/01/2016 20:19:12 krbtgt/ALFA.IT at ALFA.IT
renew until 08/08/2016 11:19:12
Ticket is ok and is for 9 hours.
root at debian:/etc/krb5kdc# kdestroy
Trying to get a ticket for 12 hours.
root at debian:/etc/krb5kdc# kinit -l "12h"
Password for root at ALFA.IT:
root at debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root at ALFA.IT
Valid starting Expires Service principal
08/01/2016 11:19:39 08/01/2016 21:19:39 krbtgt/ALFA.IT at ALFA.IT
renew until 08/08/2016 11:19:39
Now we see what ticket issued by kdc is for 10 hours only.
root at debian:/etc/krb5kdc# kdestroy
Now trying to get ticket for 1 day:
root at debian:/etc/krb5kdc# kinit -l "1d"
Password for root at ALFA.IT:
root at debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root at ALFA.IT
Valid starting Expires Service principal
08/01/2016 11:19:53 08/01/2016 21:19:53 krbtgt/ALFA.IT at ALFA.IT
renew until 08/08/2016 11:19:53
Ticket obtained is for 10 hours too.
I used different to set time in different units (24h,1440m, etc) in kdc and
client libraries configs, but result was the same - I can get TGT for 10
hours only.
What's wrong?
Is it kerberos bug or bug in configuration?
Please, help!
More information about the Kerberos
mailing list