Kinit - Renewal Process
ryan.d.jarvis@exxonmobil.com
ryan.d.jarvis at exxonmobil.com
Thu Jan 26 08:42:26 EST 2006
I have tried the kinit -R feature, but have been getting the following
error message:
kinit(v5): Internal credentials cache error when initializing cache
MSLSA:rdjarvi at UPSTREAMACCTS.XOM.COM
I think when you do a kinit -R, the existing credentials are deleted? After
the kinit -R is run, the credentials are not present on the system anymore.
When reading on Microsoft's documentation on Kerberos - in order to renew
the ticket requires a fresh authenticator as described in the sentence
below:
"A client holding a renewable ticket must send it — presenting a fresh
authenticator as well — to the KDC for renewal before the end time is
reached."
Either the smart card is required to produce a new authenticator for TGTs
or the kinit function is not able to present a renewable TGT for renewal,
and when it fails, the current tickets are destroyed. What does the kinit
-R function really do, and is a smart card required to produce the fresh
authenticator as stated?
Example output from the Kinit command is below:
C:\Program Files\MIT\Kerberos\bin>klist MSLSA:krb5cc
Ticket cache: MSLSA:krb5cc
Default principal: rdjarvi at UPSTREAMACCTS.XOM.COM
Valid starting Expires Service principal
01/26/06 07:26:40 01/26/06 07:36:40
krbtgt/UPSTREAMACCTS.XOM.COM at UPSTREAMACCTS.XOM.COM
renew until 02/18/06 07:26:39
01/26/06 07:26:40 01/26/06 07:36:40
krbtgt/UPSTREAMACCTS.XOM.COM at UPSTREAMACCTS.XOM.COM
renew until 02/18/06 07:26:39
C:\Program Files\MIT\Kerberos\bin>kinit -R -c
MSLSA:rdjarvi at UPSTREAMACCTS.XOM.COM
kinit(v5): Internal credentials cache error when initializing cache
MSLSA:rdjarvi at UPSTREAMACCTS.XOM.COM
C:\Program Files\MIT\Kerberos\bin>klist MSLSA:krb5cc
klist: No credentials cache found while resolving ccache MSLSA:krb5cc
Regards,
Ryan
Ryan D. Jarvis
Technical System Designer and Integrator
Upstream Technical Computing (UTC)
EXXONMOBIL - EMEC - UTC - CE - SDI
CORP-RR-462, 13401 N. Freeway, Houston, Texas
ryan.d.jarvis at exxonmobil.com
(281) 654 - 8237 -- (262) 313-1492 (Fax)
“Do it, Do it Right, Do it Right Now” – S. W. Kimball
----- Forwarded by Ryan D Jarvis/U-Houston/ExxonMobil on 01/26/2006 07:30
AM -----
Roland
Dowdeswell
<elric at imrryr. To
org> ryan.d.jarvis at exxonmobil.com
cc
krbdev at mit.edu
01/25/2006 Subject
04:37 PM Re: Is there a way to renew a user's
TGT
On 1138219882 seconds since the Beginning of the UNIX epoch
ryan.d.jarvis at exxonmobil.com wrote:
>
>Is it possible to automatically renew user TGTs without a user's original
>credentials (Smart Card or Cached Password)?
>The tickets have a renewal period set to 7 days - but only last until the
>original TGT expires (1 hour - for tests)
Well, you can obtain renewable tickets and then use kinit -R to
renew them. To do this for long running jobs, you might want to
increase the renewable lifetime of the tickets, i.e.
$ kinit -r 40d user at REALM.TLD
Then periodically, kinit -R. You must renew them before they expire.
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/
----- Forwarded by Ryan D Jarvis/U-Houston/ExxonMobil on 01/26/2006 07:30
AM -----
Russ Allbery
<rra at stanford.
edu> To
ryan.d.jarvis at exxonmobil.com
cc
01/25/2006 krbdev at mit.edu
04:36 PM Subject
Re: Is there a way to renew a user's
TGT
ryan d jarvis <ryan.d.jarvis at exxonmobil.com> writes:
> Renewing Kerberos TGT's for users.
> Is it possible to automatically renew user TGTs without a user's
original
> credentials (Smart Card or Cached Password)?
> The tickets have a renewal period set to 7 days - but only last until the
> original TGT expires (1 hour - for tests)
Yes, kinit -R if the ticket is renewable.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krbdev
mailing list