kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

Victor Sudakov
Dear Colleagues,

What could be wrong about my setup? Why wouldn't it renew the tickets?
Please see the session below:

[sudakov@vas ~] klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: [hidden email]

  Issued                Expires               Principal
Jun 10 19:59:52 2016  Jun 16 19:51:07 2016  krbtgt/[hidden email]
Jun 10 19:59:57 2016  >>>Expired<<<         host/[hidden email]
Jun 10 19:59:57 2016  >>>Expired<<<         host/[hidden email]
Jun 10 19:59:57 2016  >>>Expired<<<         host/[hidden email]
[sudakov@vas ~] kinit -R
kinit: krb5_get_kdc_cred: KDC can't fulfill requested option
[sudakov@vas ~]

sudakov@vas ~] more /etc/krb5.conf

[libdefaults]
        default_realm = SIBPTUS.RU
        forwardable = yes
        ticket_lifetime = 7d
        renew_lifetime = 7d
        no-addresses = false


[domain_realm]
        .tomsk.su = SIBPTUS.RU
        .tomsk.ru = SIBPTUS.RU
        .sibptus.ru = SIBPTUS.RU


Heimdal 1.5.2 on client, Heimdal 1.1.0 on KDC.

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

Harald Barth-2
> [sudakov@vas ~] kinit -R
> kinit: krb5_get_kdc_cred: KDC can't fulfill requested option
> [sudakov@vas ~]

That means normlly that either the ticket is non-renewable or the KDC does
forbid it for the principal in question. Or the renewable time is over.

Harald.
 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

Victor Sudakov
Harald Barth wrote:
> > [sudakov@vas ~] kinit -R
> > kinit: krb5_get_kdc_cred: KDC can't fulfill requested option
> > [sudakov@vas ~]
>
> That means normlly that either the ticket is non-renewable or the KDC does
> forbid it for the principal in question. Or the renewable time is over.

Is this a non-renewable TGT? It lacks the "renewable" flag, so I
suppose it is:


Server: krbtgt/[hidden email]
Client: [hidden email]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 433
Auth time:  Jun 11 21:29:52 2016
Start time: Jun 13 09:11:00 2016
End time:   Jun 18 21:29:52 2016
Ticket flags: transited-policy-checked, pre-authent, forwardable
Addresses: IPv4:78.140.19.131, IPv4:192.168.3.1,
IPv6:2001:470:35:7af::2, IPv4:192.168.1.1, IPv4:192.168.4.1

What should I specify in krb5.conf to always obtain renewable tickets?

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

Harald Barth-2

> What should I specify in krb5.conf to always obtain renewable tickets?

It might be missing from the man page, but I think it is

[libdefaults]
        renewable = true

Harald.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

Victor Sudakov
Harald Barth wrote:
>
> > What should I specify in krb5.conf to always obtain renewable tickets?
>
> It might be missing from the man page, but I think it is
>
> [libdefaults]
> renewable = true
>

OK, initially it is renewable, but after a "kinit -R" it loses the
renewable flag. Is this normal?

[sudakov@vas ~] klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: [hidden email]
    Cache version: 4

Server: krbtgt/[hidden email]
Client: [hidden email]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 433
Auth time:  Jun 13 15:06:30 2016
End time:   Jun 20 15:06:30 2016
Renew till: Jun 20 15:06:30 2016
Ticket flags: pre-authent, initial, renewable, forwardable
Addresses: IPv4:78.140.19.131, IPv4:192.168.3.1,
IPv6:2001:470:35:7af::2, IPv4:192.168.1.1, IPv4:192.168.4.1

[sudakov@vas ~]
[sudakov@vas ~] kinit -R ; klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: [hidden email]
    Cache version: 4

Server: krbtgt/[hidden email]
Client: [hidden email]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 433
Auth time:  Jun 13 15:06:30 2016
Start time: Jun 13 15:06:54 2016
End time:   Jun 20 15:06:30 2016
Ticket flags: transited-policy-checked, pre-authent, forwardable
Addresses: IPv4:78.140.19.131, IPv4:192.168.3.1,
IPv6:2001:470:35:7af::2, IPv4:192.168.1.1, IPv4:192.168.4.1

[sudakov@vas ~]



--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

Victor Sudakov
In reply to this post by Harald Barth-2
Harald Barth wrote:
>
> > What should I specify in krb5.conf to always obtain renewable tickets?
>
> It might be missing from the man page, but I think it is
>
> [libdefaults]
> renewable = true
>

Indeed, after the first "kinit -R" the ticket looses it renewable
property. It is a desired/expected behaviour? Please see the output
below:


Script started on Sun Jun 26 10:22:42 2016
You have mail.
[sudakov@vas ~] klist
klist: No ticket file: /tmp/krb5cc_1001
[sudakov@vas ~] kinit
[hidden email]'s Password:
[sudakov@vas ~] klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: [hidden email]
    Cache version: 4

Server: krbtgt/[hidden email]
Client: [hidden email]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 433
Auth time:  Jun 26 10:22:49 2016
End time:   Jul  3 10:22:49 2016
Renew till: Jul  3 10:22:49 2016
Ticket flags: pre-authent, initial, renewable, forwardable
Addresses: IPv4:78.140.19.131, IPv4:192.168.4.1, IPv4:192.168.3.1, IPv6:2001:470:35:7af::2, IPv4:192.168.1.1

[sudakov@vas ~] kinit -R
[sudakov@vas ~] kinit -R
kinit: krb5_get_kdc_cred: KDC can't fulfill requested option
[sudakov@vas ~] klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: [hidden email]
    Cache version: 4

Server: krbtgt/[hidden email]
Client: [hidden email]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 433
Auth time:  Jun 26 10:22:49 2016
Start time: Jun 26 10:22:54 2016
End time:   Jul  3 10:22:49 2016
Ticket flags: transited-policy-checked, pre-authent, forwardable
Addresses: IPv4:78.140.19.131, IPv4:192.168.4.1, IPv4:192.168.3.1, IPv6:2001:470:35:7af::2, IPv4:192.168.1.1

[sudakov@vas ~] exit

Script done on Sun Jun 26 10:23:00 2016

--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

Harald Barth-2
> Indeed, after the first "kinit -R" the ticket looses it renewable
> property. It is a desired/expected behaviour?

Looks like a bug to me.

Harald.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

Victor Sudakov
Harald Barth wrote:
> > Indeed, after the first "kinit -R" the ticket looses it renewable
> > property. It is a desired/expected behaviour?
>
> Looks like a bug to me.

Is it really a bug or some misconfiguration on my part? Here is the
*complete* config on the client:

[libdefaults]
        default_realm = SIBPTUS.RU
        forwardable = yes
        ticket_lifetime = 7d
        renew_lifetime = 7d
        no-addresses = false
        renewable = true


[domain_realm]
        .tomsk.su = SIBPTUS.RU
        .tomsk.ru = SIBPTUS.RU
        .sibptus.ru = SIBPTUS.RU



--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

Jeffrey Altman-2
In reply to this post by Victor Sudakov
On 6/12/2016 6:04 AM, Victor Sudakov wrote:
> Heimdal 1.1.0 on KDC.

This version dates to January 2008.  There have been many bugs fixed in
the 8 years that have passed including the failure to renew tickets bug
which was fixed in 2012.

Jeffrey Altman



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

Victor Sudakov
Jeffrey Altman wrote:
> > Heimdal 1.1.0 on KDC.
>
> This version dates to January 2008.  There have been many bugs fixed in
> the 8 years that have passed including the failure to renew tickets bug
> which was fixed in 2012.

If I install 1.5.3 from the FreeBSD ports collection and run the kdc
from there, would it improve the situation?


--
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:[hidden email]
Loading...