Expired service ticket

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Expired service ticket

Victor Sudakov
Colleagues,

If I have an expired service ticket and a still valid TGT, shouldn't I
expect the expired service ticket to be re-issued? Yet, it's not
happening:

[sudakov@vas ~] klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: [hidden email]

  Issued                Expires               Principal
Jul 16 13:03:46 2016  Jul 21 19:48:36 2016  krbtgt/[hidden email]
Jul 16 13:03:49 2016  >>>Expired<<<         host/[hidden email]
Jul 16 13:03:49 2016  >>>Expired<<<         host/[hidden email]
Jul 16 13:03:49 2016  >>>Expired<<<         host/[hidden email]
Jul 16 13:03:49 2016  >>>Expired<<<         host/[hidden email]
Jul 16 13:03:49 2016  >>>Expired<<<         host/[hidden email]
[sudakov@vas ~] ssh noc
otp-md5 479 no1004 ext
Password:

[sudakov@vas ~]

What am I doing wrong?

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Expired service ticket

Victor Sudakov
Diogenes S. Jesus wrote:
> Check on with:
> klist -Afe

Looks like "-e" is an unknown option.

>
> And check what flags your TGT have - AFAIK it must have "renewable" flag.
>
> http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5/doc/krb5-user/Kerberos-Ticket-Properties.htm

Yes, the TGT has the "renewable" flag, the expired service tickets
don't, and they are stuck. Please see below:

$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: [hidden email]

  Issued                Expires               Principal
Jul 19 20:05:26 2016  Jul 26 20:05:25 2016  krbtgt/[hidden email]
Jul 20 19:17:11 2016  >>>Expired<<<         host/[hidden email]
Jul 20 19:17:11 2016  >>>Expired<<<         host/[hidden email]
Jul 20 19:17:11 2016  >>>Expired<<<         host/[hidden email]

$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: [hidden email]
    Cache version: 4

Server: krbtgt/[hidden email]
Client: [hidden email]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 433
Auth time:  Jul 19 20:05:26 2016
End time:   Jul 26 20:05:25 2016
Renew till: Jul 26 20:05:26 2016
Ticket flags: pre-authent, initial, renewable, forwardable
Addresses: IPv4:78.140.19.131, IPv4:192.168.4.1, IPv4:192.168.3.1, IPv6:2001:470:35:7af::2, IPv4:192.168.1.1

Server: host/[hidden email]
Client: [hidden email]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 435
Auth time:  Jul 19 20:05:26 2016
Start time: Jul 20 19:17:11 2016
End time:   Jul 21 19:17:11 2016 (expired)
Ticket flags: transited-policy-checked, pre-authent
Addresses: IPv4:78.140.19.131, IPv4:192.168.4.1, IPv4:192.168.3.1, IPv6:2001:470:35:7af::2, IPv4:192.168.1.1

Server: host/[hidden email]
Client: [hidden email]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 435
Auth time:  Jul 19 20:05:26 2016
Start time: Jul 20 19:17:11 2016
End time:   Jul 21 19:17:11 2016 (expired)
Ticket flags: transited-policy-checked, pre-authent
Addresses: IPv4:78.140.19.131, IPv4:192.168.4.1, IPv4:192.168.3.1, IPv6:2001:470:35:7af::2, IPv4:192.168.1.1

Server: host/[hidden email]
Client: [hidden email]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 435
Auth time:  Jul 19 20:05:26 2016
Start time: Jul 20 19:17:11 2016
End time:   Jul 21 19:17:11 2016 (expired)
Ticket flags: transited-policy-checked, pre-authent
Addresses: IPv4:78.140.19.131, IPv4:192.168.4.1, IPv4:192.168.3.1, IPv6:2001:470:35:7af::2, IPv4:192.168.1.1


--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Loading...