Greg Hudson ghudson at
Tue Nov 17 13:26:27 EST 2020

On 11/17/20 12:53 PM, Jeffrey Altman wrote:
> Just to set the record straight, Kerberos service tickets have never
> been renewable unless they were obtained as initial tickets.  Only
> TGTs are renewable.  This is true for MIT and Heimdal as well as
> Active Directory.

Both initial and non-initial non-TGTs are renewable with MIT krb5:

$ make testrealm
$ kadmin.local modprinc -maxrenewlife 1d host/small-gods
$ kadmin.local modprinc -maxrenewlife 1d user
$ kadmin.local modprinc -maxrenewlife 1d krbtgt/KRBTEST.COM
$ kinit -S host/small-gods -l 10m -r 20m
Password for user at KRBTEST.COM:
$ kinit -R -S host/small-gods
$ kinit -l 10m -r 20m user
Password for user at KRBTEST.COM:
$ kvno host/small-gods
host/small-gods at KRBTEST.COM: kvno = 1
$ kinit -R -S host/small-gods

There is even a messaging service at MIT that makes use of renewable
service tickets.

Prior to release 1.9 the MIT krb5 KDC supported renewing service
tickets, but the client library did not: .

> It used to be the case that "kinit -r" would fail if the requested
> principal was "disallow-renewable".   I don't remember if it was because
> the KDC refused to issue any ticket when renewable was requested or if
> it was the client library rejecting the ticket because it didn't satisfy
> the request.

That was KDC-side.  For MIT krb5, the KDC behavior changed in release
1.12 to just issue a non-renewable ticket in this case.

More information about the Kerberos mailing list