Unable to to get a TGT that abides to specified renewal interval - Kerberos

This is a discussion on Unable to to get a TGT that abides to specified renewal interval - Kerberos ; Hi, I am having problems to get TGTs with renewal periods as specified in kinit -r option. My kdc.conf realm stanza has these two paramters set: max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s I have explicitely ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Unable to to get a TGT that abides to specified renewal interval

  1. Unable to to get a TGT that abides to specified renewal interval

    Hi,

    I am having problems to get TGTs with renewal periods as specified in
    kinit -r option. My kdc.conf realm stanza has these two paramters set:

    max_life = 10h 0m 0s
    max_renewable_life = 7d 0h 0m 0s

    I have explicitely set forwadable flag in the realms
    default_principal_flags parameter
    I have played with various values in /etc/krb5.conf [libdefault] stanza
    renew_lifetime,and ticket_lifetime values, and I have set the principal
    -maxrenewlife to 7 days. Still whenever I do a kinit -l 10h -r 7d my
    renew untill timestamp is the same as the ticket creation one:

    stefano@filo2 ~ $ klist -fc
    Ticket cache: FILE:/tmp/krb5cc_1000
    Default principal: stefano@SANTORO.ORG

    Valid starting Expires Service principal
    10/15/05 03:51:29 10/15/05 13:51:29 krbtgt/SANTORO.ORG@SANTORO.ORG
    renew until 10/15/05 03:51:29, Flags: RI

    I would really appreciate any insights to solve this riddle.

    Ciao
    Stefano


  2. Re: Unable to to get a TGT that abides to specified renewal interval

    vtkstef wrote:
    > Hi,
    >
    > I am having problems to get TGTs with renewal periods as specified in
    > kinit -r option. My kdc.conf realm stanza has these two paramters set:
    >
    > max_life = 10h 0m 0s
    > max_renewable_life = 7d 0h 0m 0s
    >
    > I have explicitely set forwadable flag in the realms
    > default_principal_flags parameter
    > I have played with various values in /etc/krb5.conf [libdefault] stanza
    > renew_lifetime,and ticket_lifetime values, and I have set the principal
    > -maxrenewlife to 7 days. Still whenever I do a kinit -l 10h -r 7d my
    > renew untill timestamp is the same as the ticket creation one:
    >
    > stefano@filo2 ~ $ klist -fc
    > Ticket cache: FILE:/tmp/krb5cc_1000
    > Default principal: stefano@SANTORO.ORG
    >
    > Valid starting Expires Service principal
    > 10/15/05 03:51:29 10/15/05 13:51:29 krbtgt/SANTORO.ORG@SANTORO.ORG
    > renew until 10/15/05 03:51:29, Flags: RI
    >
    > I would really appreciate any insights to solve this riddle.
    >
    > Ciao
    > Stefano


    Check the lifetime settings for the krbtgt/SANTORO.ORG@SANTORO.ORG and
    stefano@SANTORO.ORG principals in the KDB.

    Jeffrey Altman



    --
    -----------------
    This e-mail account is not read on a regular basis.
    Please send private responses to jaltman at mit dot edu

  3. Re: Unable to to get a TGT that abides to specified renewal interval

    Yes I have and both the krbtgt/SANTORO.ORG and the stefano principals
    have ticket lifetime policies that match the KDC conf max values:

    kadmin: getprinc stefano
    Principal: stefano ...
    ....
    Maximum ticket life: 0 days 10:00:00
    Maximum renewable life: 7 days 00:00:00
    ....
    Number of keys: 2
    Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
    Key: vno 1, DES cbc mode with CRC-32, no salt
    Attributes:
    Policy: [none]
    kadmin: getprinc krbtgt/SANTORO.ORG
    Principal: krbtgt/SANTORO.ORG...
    ....
    Maximum ticket life: 0 days 10:00:00
    Maximum renewable life: 7 days 00:00:00
    .....
    Number of keys: 2
    Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
    Key: vno 1, DES cbc mode with CRC-32, no salt
    Attributes:
    Policy: [none]


+ Reply to Thread