max_life problem

Александр Баранин avbaranin at gmail.com
Mon Aug 1 04:29:15 EDT 2016 

Hello!

I use mit kerberos, version krb5-1.14.2, compiled from source.
And I can't to force kdc to issue tickets for more than 10 hours.

This is part of my krb5.conf:

[libdefaults]
        default_realm = ALFA.IT
# The following krb5.conf variables are only for MIT Kerberos.
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        dns_canonicalize_hostname = false
        default_ccache_name = FILE:/tmp/krb5cc_%{uid}
        ticket_lifetime = 1d 0h 0m 0s
        renew_lifetime = 14d 1h 0m 0s

This is part of my kdc.conf:

[realms]
    ALFA.IT = {
        database_module = LDAP
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 1d 0h 0m 0s
        max_renewable_life = 14d 1h 0m 0s

Here are my tests:

root at debian:/etc/krb5kdc# kinit -l "9h"
Password for root at ALFA.IT:
root at debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root at ALFA.IT

Valid starting       Expires              Service principal
08/01/2016 11:19:12  08/01/2016 20:19:12  krbtgt/ALFA.IT at ALFA.IT
        renew until 08/08/2016 11:19:12

Ticket is ok and is for 9 hours.

root at debian:/etc/krb5kdc# kdestroy

Trying to get a ticket for 12 hours.

root at debian:/etc/krb5kdc# kinit -l "12h"
Password for root at ALFA.IT:

root at debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root at ALFA.IT

Valid starting       Expires              Service principal
08/01/2016 11:19:39  08/01/2016 21:19:39  krbtgt/ALFA.IT at ALFA.IT
        renew until 08/08/2016 11:19:39

Now we see what ticket issued by kdc is for 10 hours only.

root at debian:/etc/krb5kdc# kdestroy

Now trying to get ticket for 1 day:

root at debian:/etc/krb5kdc# kinit -l "1d"
Password for root at ALFA.IT:
root at debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root at ALFA.IT

Valid starting       Expires              Service principal
08/01/2016 11:19:53  08/01/2016 21:19:53  krbtgt/ALFA.IT at ALFA.IT
        renew until 08/08/2016 11:19:53

Ticket obtained is for 10 hours too.

I used different to set time in different units (24h,1440m, etc) in kdc and
client libraries configs, but result was the same - I can get TGT for 10
hours only.

What's wrong?
Is it kerberos bug or bug in configuration?
Please, help!

More information about the Kerberos mailing list