Help with ticket expiry - Kerberos

This is a discussion on Help with ticket expiry - Kerberos ; I've struggled with ticket expiry for > 8 hours now and am asking for help. Google'ing the topic over these archive has led me to try these things, but first my setup-- [ayoung:ayoung@ns1 ~]$ uname -a Linux ns1.an3e.org 2.6.17-1.2157_FC5 #1 ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Help with ticket expiry

  1. Help with ticket expiry

    I've struggled with ticket expiry for > 8 hours now and am asking for
    help. Google'ing the topic over these archive has led me to try these
    things, but first my setup--

    [ayoung:ayoung@ns1 ~]$ uname -a
    Linux ns1.an3e.org 2.6.17-1.2157_FC5 #1 ... 2006 i686 i686 i386 GNU/Linux

    [ayoung:ayoung@ns1 ~]$ rpm -q -a | grep krb
    krb5-server-1.4.3-4.1
    krb5-libs-1.4.3-4.1
    pam_krb5-2.2.6-2.2

    I am trying to increase my expiry from 24h to 72h.

    I first edited /etc/krb5.conf *AFTER* creating my principals
    Under [libdefaults]
    FROM: ticket_lifetime = 24h TO: 72h
    And sudo /etc/rc.d/init.d/krb5kdc reload

    kdestroy; kinit; klist (for example) doesn't seem to have done much--
    [ayoung:ayoung@ayoung-g219 ~]$ klist
    Ticket cache: FILE:/tmp/krb5cc_25670
    Default principal: ayoung@AN3E.ORG
    Valid starting Expires Service principal
    09/22/06 09:44:53 09/23/06 09:44:53 krbtgt/AN3E.ORG@AN3E.ORG

    Four hours of googling later--
    kadmin: modify_principal -maxlife 72h ayoung

    Thirty minutes of googling later--
    kadmin: modify_principal -maxlife "3 days" ayoung

    kadmin: getprinc ayoung
    Principal: ayoung@AN3E.ORG
    Expiration date: [never]
    Last password change: Mon Jul 31 14:28:45 PDT 2006
    Password expiration date: [none]
    Maximum ticket life: 3 days 00:00:00
    Maximum renewable life: 0 days 00:00:00
    Last modified: Fri Sep 22 10:50:36 PDT 2006 (admin/admin@AN3E.ORG)
    Last successful authentication: [never]
    Last failed authentication: [never]
    Failed password attempts: 0
    Number of keys: 2
    Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
    Key: vno 1, DES cbc mode with CRC-32, no salt
    Attributes:
    Policy: [none]

    And again for krbtgt--
    kadmin: modify_principal -maxlife "3 days" krbtgt/AN3E.ORG

    But it seems that I still don't have a 3 day ticket--
    [ayoung:ayoung@ayoung-g219 ~]$ kdestroy;kinit;klist
    Password for ayoung@AN3E.ORG:
    Ticket cache: FILE:/tmp/krb5cc_25670
    Default principal: ayoung@AN3E.ORG

    Valid starting Expires Service principal
    09/22/06 10:53:48 09/23/06 10:53:48 krbtgt/AN3E.ORG@AN3E.ORG


    Kerberos 4 ticket cache: /tmp/tkt25670
    klist: You have no tickets cached


    From the posts I've discovered this should be all I need do to increase
    the expire for the principal "ayoung". Any thoughts? Thanks much!

    -Andrew

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Help with ticket expiry

    > From the posts I've discovered this should be all I need do to increase
    >the expire for the principal "ayoung". Any thoughts? Thanks much!


    The information you read was wrong.

    You need to increase the following things:

    - The expiration time on the user principal (which you did)
    - The expiration time on the krbtgt principal (which you did do)
    - The "max_life" parameter in kdc.conf (which it does not look like you did)

    You should also probably change the expiration time on all of your service
    principals as well.

    I am not convinced "ticket_lifetime" is necessarily correct, but I would
    do "kinit -l 72h" to be extra sure.

    --Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Help with ticket expiry

    Ken H.,

    I do not have a /etc/kdc.conf, only
    /usr/kerberos/share/examples/krb5/kdc.conf.
    My /etc/krb5.conf file already has a [realms] section, where I define
    AN3E.ORG.
    I tried adding max_life and max_renewable_life = 72h in my realm defined
    in /etc/krb5.conf with no noticeable affect after--

    [ayoung:ayoung@ns1 ~]$ sudo /etc/rc.d/init.d/krb5kdc restart
    [ayoung:ayoung@ayoung-g219 ~]$ kdestroy;kinit -l 72h;klist
    Valid starting Expires Service principal
    09/22/06 12:45:25 09/23/06 12:45:25 krbtgt/AN3E.ORG@AN3E.ORG
    renew until 09/22/06 12:45:25

    -andyy

    Ken Hornstein wrote:
    >> From the posts I've discovered this should be all I need do to increase
    >> the expire for the principal "ayoung". Any thoughts? Thanks much!
    >>

    >
    > The information you read was wrong.
    >
    > You need to increase the following things:
    >
    > - The expiration time on the user principal (which you did)
    > - The expiration time on the krbtgt principal (which you did do)
    > - The "max_life" parameter in kdc.conf (which it does not look like you did)
    >
    > You should also probably change the expiration time on all of your service
    > principals as well.
    >
    > I am not convinced "ticket_lifetime" is necessarily correct, but I would
    > do "kinit -l 72h" to be extra sure.
    >
    > --Ken
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Help with ticket expiry

    >Ken H.,
    >
    >I do not have a /etc/kdc.conf, only
    >/usr/kerberos/share/examples/krb5/kdc.conf.


    Well, maybe you should try creating one? It's not in /etc, either ... it's
    in the same location that your database is in.

    --Ken
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: Help with ticket expiry

    Ken H.,

    That did it!!
    Following your last email I had tried creating a kdc.conf, but failed in
    that I placed it in /etc, not where the database is. Here I failed to
    read the FILES section of KDC.CONF(5) to see where it should go (also
    failed to think of find /var -name kdc.conf in addition to /usr.)

    THANKS,
    Andrew


    Ken Hornstein wrote:
    >> Ken H.,
    >>
    >> I do not have a /etc/kdc.conf, only
    >> /usr/kerberos/share/examples/krb5/kdc.conf.
    >>

    >
    > Well, maybe you should try creating one? It's not in /etc, either ... it's
    > in the same location that your database is in.
    >
    > --Ken
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread