Jeffrey Altman jaltman at
Tue Nov 17 13:51:42 EST 2020

On 11/17/2020 1:26 PM, Greg Hudson (ghudson at wrote:
> On 11/17/20 12:53 PM, Jeffrey Altman wrote:
>> Just to set the record straight, Kerberos service tickets have never
>> been renewable unless they were obtained as initial tickets.  Only
>> TGTs are renewable.  This is true for MIT and Heimdal as well as
>> Active Directory.
> Both initial and non-initial non-TGTs are renewable with MIT krb5:
> $ make testrealm
> $ kadmin.local modprinc -maxrenewlife 1d host/small-gods
> $ kadmin.local modprinc -maxrenewlife 1d user
> $ kadmin.local modprinc -maxrenewlife 1d krbtgt/KRBTEST.COM
> $ kinit -S host/small-gods -l 10m -r 20m
> Password for user at KRBTEST.COM:
> $ kinit -R -S host/small-gods
> $ kinit -l 10m -r 20m user
> Password for user at KRBTEST.COM:
> $ kvno host/small-gods
> host/small-gods at KRBTEST.COM: kvno = 1
> $ kinit -R -S host/small-gods
> $
> There is even a messaging service at MIT that makes use of renewable
> service tickets.
> Prior to release 1.9 the MIT krb5 KDC supported renewing service
> tickets, but the client library did not:
> .
>> It used to be the case that "kinit -r" would fail if the requested
>> principal was "disallow-renewable".   I don't remember if it was because
>> the KDC refused to issue any ticket when renewable was requested or if
>> it was the client library rejecting the ticket because it didn't satisfy
>> the request.
> That was KDC-side.  For MIT krb5, the KDC behavior changed in release
> 1.12 to just issue a non-renewable ticket in this case.


Thanks for tracking down the history.

I'm glad to see that service tickets can be renewed.  The lack of that
functionality was always frustrating.

Heimdal should change its behavior to match.

Jeffrey Altman

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4080 bytes
Desc: S/MIME Cryptographic Signature
Url :

More information about the Kerberos mailing list