Unable to to get a TGT that abides to specified renewal interval

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to to get a TGT that abides to specified renewal interval

vtkstef
Hi,

I am having problems to get TGTs with renewal periods as specified in
kinit -r option. My kdc.conf realm stanza has these two paramters set:

            max_life = 10h 0m 0s
            max_renewable_life = 7d 0h 0m 0s

I have explicitely set forwadable flag in the realms
default_principal_flags parameter
I have played with various values in /etc/krb5.conf [libdefault] stanza
renew_lifetime,and ticket_lifetime values, and I have set the principal
-maxrenewlife to 7 days. Still whenever I do a kinit -l 10h -r 7d my
renew untill timestamp is the same as the ticket creation one:

stefano@filo2 ~ $ klist -fc
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [hidden email]

Valid starting     Expires            Service principal
10/15/05 03:51:29  10/15/05 13:51:29  krbtgt/[hidden email]
        renew until 10/15/05 03:51:29, Flags: RI

I would really appreciate any insights to solve this riddle.

Ciao
Stefano

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Unable to to get a TGT that abides to specified renewal interval

Jeffrey Altman-3
vtkstef wrote:

> Hi,
>
> I am having problems to get TGTs with renewal periods as specified in
> kinit -r option. My kdc.conf realm stanza has these two paramters set:
>
>             max_life = 10h 0m 0s
>             max_renewable_life = 7d 0h 0m 0s
>
> I have explicitely set forwadable flag in the realms
> default_principal_flags parameter
> I have played with various values in /etc/krb5.conf [libdefault] stanza
> renew_lifetime,and ticket_lifetime values, and I have set the principal
> -maxrenewlife to 7 days. Still whenever I do a kinit -l 10h -r 7d my
> renew untill timestamp is the same as the ticket creation one:
>
> stefano@filo2 ~ $ klist -fc
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: [hidden email]
>
> Valid starting     Expires            Service principal
> 10/15/05 03:51:29  10/15/05 13:51:29  krbtgt/[hidden email]
>         renew until 10/15/05 03:51:29, Flags: RI
>
> I would really appreciate any insights to solve this riddle.
>
> Ciao
> Stefano

Check the lifetime settings for the krbtgt/[hidden email] and
[hidden email] principals in the KDB.

Jeffrey Altman



--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Unable to to get a TGT that abides to specified renewal interval

vtkstef
In reply to this post by vtkstef
Yes I have and both the krbtgt/SANTORO.ORG and the stefano principals
have ticket lifetime policies that match the KDC conf max values:

kadmin:  getprinc stefano
Principal: stefano ...
...
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
...
Number of keys: 2
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
kadmin:  getprinc krbtgt/SANTORO.ORG
Principal: krbtgt/SANTORO.ORG...
...
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
....
Number of keys: 2
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos