Windows 2003 KDC -> linux tgt max lifetime - Kerberos

This is a discussion on Windows 2003 KDC -> linux tgt max lifetime - Kerberos ; I have a Windows 2003 SP1 server. Using the W2k3 server to authenticate to linux Red Hat clients. Everything works but cannot increase the krbtgt ticket lifetime. Trying to increase krbtgt ticket lifetime from the default 10 hours to 120 ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Windows 2003 KDC -> linux tgt max lifetime

  1. Windows 2003 KDC -> linux tgt max lifetime

    I have a Windows 2003 SP1 server. Using the W2k3 server to authenticate
    to linux Red Hat clients. Everything works but cannot increase the krbtgt
    ticket lifetime. Trying to increase krbtgt ticket lifetime from the default
    10 hours to 120 hours. We need this for users who run long linux jobs
    that go several days.

    I researched and found that you need to change the Group Policy on the
    domain cotroller for the following settings that are under the "Windows
    Settings +Security Settings +Account Policies +Kerberos Policies". I
    did that:

    Policy Setting

    Enforce user login restrtictions Enbabled
    Maximum lifetime for service ticket 7200 minutes
    Maximum lifetime for user ticket 120 hours
    Maximum lifetime for user ticket renewal 10 days
    Maximum tolerance for computer clock 5 minutes

    On linux when I use "kinit -l 3d" I still only get a tgt good for 10
    hours. I rebooted the Windows machine and have waited several hours to
    try again. In Windows the krbtgt UPN is a special account. My guess is
    it still thinks the default tgt lifetime is 10 hours.

    Microsoft Knowledge Base says the special krbtgt account should not
    be changed/edited. They say the system occasionally changes the krbtgt
    password. If there was a way to force this it might fix the problem.

    Is there some Windows setting I am missing? Does Windows require
    some other option from kinit to get the tgt lifetime to work?

    I did a network trace from the linux client to the windows server over
    port 88 using "tshark -V port 88". This breaks down the networks frames
    very nicely. I can see my client request going to the Windows AD asking
    for a tgt for 3 days, not 10 hours. Below is the trace for the request

    Below is frame 3 and frame 4 trace tracing the "kinit -l 3d" command on
    the linux client. Frame 3 shows the Kerberos AS-REQ (Authentication Server
    Request) and frame 4 shows the AS-REP (Authentication Server Reply). If
    you search for "till:" in the AS-REQ it shows it is asking the ticket
    be granted for 3 days. The AS-REP does not say what it gives the client.

    192.168.243.10 = Windows KDC
    152.2.128.185 = Linux Red Hat 4 client

    Authentication Server Request from linux client:
    -----------------------------------------------

    Frame 3 (318 bytes on wire, 318 bytes captured)
    Arrival Time: Jan 18, 2007 08:29:46.268886000
    [Time delta from previous packet: 3.145897000 seconds]
    [Time since reference or first frame: 3.149358000 seconds]
    Frame Number: 3
    Packet Length: 318 bytes
    Capture Length: 318 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:kerberos]
    Ethernet II, Src: Ibm_e1:d4:3a (00:02:55:e1:d4:3a), Dst: FerranSc_0f:34:00
    (00:d0:00:0f:34:00)
    Destination: FerranSc_0f:34:00 (00:d0:00:0f:34:00)
    Address: FerranSc_0f:34:00 (00:d0:00:0f:34:00)
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    .... ..0. .... .... .... .... = LG bit: Globally unique address
    (factory default)
    Source: Ibm_e1:d4:3a (00:02:55:e1:d4:3a)
    Address: Ibm_e1:d4:3a (00:02:55:e1:d4:3a)
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    .... ..0. .... .... .... .... = LG bit: Globally unique address
    (factory default)
    Type: IP (0x0800)
    Internet Protocol, Src: 152.2.128.185 (152.2.128.185), Dst: 192.168.243.10
    (192.168.243.10)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..0. = ECN-Capable Transport (ECT): 0
    .... ...0 = ECN-CE: 0
    Total Length: 304
    Identification: 0x995b (39259)
    Flags: 0x04 (Don't Fragment)
    0... = Reserved bit: Not set
    .1.. = Don't fragment: Set
    ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0xd3f2 [correct]
    [Good: True]
    [Bad : False]
    Source: 152.2.128.185 (152.2.128.185)
    Destination: 192.168.243.10 (192.168.243.10)
    User Datagram Protocol, Src Port: 32779 (32779), Dst Port: kerberos (88)
    Source port: 32779 (32779)
    Destination port: kerberos (88)
    Length: 284
    Checksum: 0x6afb [correct]
    Kerberos AS-REQ
    Pvno: 5
    MSG Type: AS-REQ (10)
    padata: PA-ENC-TIMESTAMP
    Type: PA-ENC-TIMESTAMP (2)
    Value: 303DA003020117A2360434A68085CFFFD15AFA6F90023601.. . rc4-hmac
    Encryption type: rc4-hmac (23)
    enc PA_ENC_TIMESTAMP:
    A68085CFFFD15AFA6F900236015BB808DAA55E93C1EBFBC4.. .
    KDC_REQ_BODY
    Padding: 0
    KDCOptions: 00800000 (Renewable)
    .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use
    forwardable tickets
    ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT
    a forwarded ticket
    ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT use
    proxiable tickets
    .... 0... .... .... .... .... .... .... = Proxy: This ticket has
    NOT been proxied
    .... .0.. .... .... .... .... .... .... = Allow Postdate: We do
    NOT allow the ticket to be postdated
    .... ..0. .... .... .... .... .... .... = Postdated: This ticket
    is NOT postdated
    .... .... 1... .... .... .... .... .... = Renewable: This ticket
    is RENEWABLE
    .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
    .... .... .... ..0. .... .... .... .... = Constrained Delegation:
    This is a normal request (no constrained delegation)
    .... .... .... ...0 .... .... .... .... = Canonicalize: This is
    NOT a canonicalized ticket request
    .... .... .... .... .... .... ..0. .... = Disable Transited
    Check: Transited checking is NOT disabled
    .... .... .... .... .... .... ...0 .... = Renewable OK: We do NOT
    accept renewed tickets
    .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT
    encrypt the tkt inside the skey
    .... .... .... .... .... .... .... ..0. = Renew: This is NOT a
    request to renew a ticket
    .... .... .... .... .... .... .... ...0 = Validate: This is NOT a
    request to validate a postdated ticket
    Client Name (Principal): sopko
    Name-type: Principal (1)
    Name: sopko
    Realm: MSE.UNCCS.TEST
    Server Name (Unknown): krbtgt/MSE.UNCCS.TEST
    Name-type: Unknown (0)
    Name: krbtgt
    Name: MSE.UNCCS.TEST
    from: 2007-01-18 13:29:43 (Z)
    till: 2007-01-21 13:29:43 (Z)
    rtime: 2007-02-01 13:29:43 (Z)
    Nonce: 1169126986
    Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
    des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4
    Encryption type: aes256-cts-hmac-sha1-96 (18)
    Encryption type: aes128-cts-hmac-sha1-96 (17)
    Encryption type: des3-cbc-sha1 (16)
    Encryption type: rc4-hmac (23)
    Encryption type: des-cbc-crc (1)
    Encryption type: des-cbc-md5 (3)
    Encryption type: des-cbc-md4 (2)



    Authentication Server Reply from Windows KDC:
    ---------------------------------------------

    Frame 4 (1298 bytes on wire, 1298 bytes captured)
    Arrival Time: Jan 18, 2007 08:29:46.272862000
    [Time delta from previous packet: 0.003976000 seconds]
    [Time since reference or first frame: 3.153334000 seconds]
    Frame Number: 4
    Packet Length: 1298 bytes
    Capture Length: 1298 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:kerberos]
    Ethernet II, Src: FerranSc_0f:34:00 (00:d0:00:0f:34:00), Dst: Ibm_e1:d4:3a
    (00:02:55:e1:d4:3a)
    Destination: Ibm_e1:d4:3a (00:02:55:e1:d4:3a)
    Address: Ibm_e1:d4:3a (00:02:55:e1:d4:3a)
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    .... ..0. .... .... .... .... = LG bit: Globally unique address
    (factory default)
    Source: FerranSc_0f:34:00 (00:d0:00:0f:34:00)
    Address: FerranSc_0f:34:00 (00:d0:00:0f:34:00)
    .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
    .... ..0. .... .... .... .... = LG bit: Globally unique address
    (factory default)
    Type: IP (0x0800)
    Internet Protocol, Src: 192.168.243.10 (192.168.243.10), Dst: 152.2.128.185
    (152.2.128.185)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    0000 00.. = Differentiated Services Codepoint: Default (0x00)
    .... ..0. = ECN-Capable Transport (ECT): 0
    .... ...0 = ECN-CE: 0
    Total Length: 1284
    Identification: 0x91f6 (37366)
    Flags: 0x00
    0... = Reserved bit: Not set
    .0.. = Don't fragment: Not set
    ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: UDP (0x11)
    Header checksum: 0xd883 [correct]
    [Good: True]
    [Bad : False]
    Source: 192.168.243.10 (192.168.243.10)
    Destination: 152.2.128.185 (152.2.128.185)
    User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32779 (32779)
    Source port: kerberos (88)
    Destination port: 32779 (32779)
    Length: 1264
    Checksum: 0x6096 [correct]
    Kerberos AS-REP
    Pvno: 5
    MSG Type: AS-REP (11)
    Client Realm: MSE.UNCCS.TEST
    Client Name (Principal): sopko
    Name-type: Principal (1)
    Name: sopko
    Ticket
    Tkt-vno: 5
    Realm: MSE.UNCCS.TEST
    Server Name (Unknown): krbtgt/MSE.UNCCS.TEST
    Name-type: Unknown (0)
    Name: krbtgt
    Name: MSE.UNCCS.TEST
    enc-part rc4-hmac
    Encryption type: rc4-hmac (23)
    Kvno: 2
    enc-part: AD62812D35283B38406555205797096C504ABA1437091AE2.. .
    enc-part rc4-hmac
    Encryption type: rc4-hmac (23)
    Kvno: 9
    enc-part: 13E0C1A48307F923FF4FBDF808DC3253F59C32A5739830A2.. .

    4 packets captured
    --
    John W. Sopko Jr. University of North Carolina
    email: sopko AT cs.unc.edu Computer Science Dept., CB 3175
    Phone: 919-962-1844 Sitterson Hall; Room 044
    Fax: 919-962-1799 Chapel Hill, NC 27599-3175

  2. Re: Windows 2003 KDC -> linux tgt max lifetime

    I installed the Windows resource kit tools on the W2k3 server
    and ran the "kerbtray" command, it brings up a gui that shows
    your ticket lifetime. It is still 10 hours not 120 hours which
    I set it to.

    I also installed Mit's kfw 3.1 and obtained a ticket and it
    was also for 10 hours even though I told it to get 2, 3 5
    days etc.

    So the problem must be on the w2k3 side somewhere.

    John W. Sopko Jr. wrote:
    > I have a Windows 2003 SP1 server. Using the W2k3 server to authenticate
    > to linux Red Hat clients. Everything works but cannot increase the krbtgt
    > ticket lifetime. Trying to increase krbtgt ticket lifetime from the default
    > 10 hours to 120 hours. We need this for users who run long linux jobs
    > that go several days.
    >
    > I researched and found that you need to change the Group Policy on the
    > domain cotroller for the following settings that are under the "Windows
    > Settings +Security Settings +Account Policies +Kerberos Policies". I
    > did that:
    >
    > Policy Setting
    >
    > Enforce user login restrtictions Enbabled
    > Maximum lifetime for service ticket 7200 minutes
    > Maximum lifetime for user ticket 120 hours
    > Maximum lifetime for user ticket renewal 10 days
    > Maximum tolerance for computer clock 5 minutes
    >
    > On linux when I use "kinit -l 3d" I still only get a tgt good for 10
    > hours. I rebooted the Windows machine and have waited several hours to
    > try again. In Windows the krbtgt UPN is a special account. My guess is
    > it still thinks the default tgt lifetime is 10 hours.
    >
    > Microsoft Knowledge Base says the special krbtgt account should not
    > be changed/edited. They say the system occasionally changes the krbtgt
    > password. If there was a way to force this it might fix the problem.
    >
    > Is there some Windows setting I am missing? Does Windows require
    > some other option from kinit to get the tgt lifetime to work?
    >
    > I did a network trace from the linux client to the windows server over
    > port 88 using "tshark -V port 88". This breaks down the networks frames
    > very nicely. I can see my client request going to the Windows AD asking
    > for a tgt for 3 days, not 10 hours. Below is the trace for the request
    >
    > Below is frame 3 and frame 4 trace tracing the "kinit -l 3d" command on
    > the linux client. Frame 3 shows the Kerberos AS-REQ (Authentication Server
    > Request) and frame 4 shows the AS-REP (Authentication Server Reply). If
    > you search for "till:" in the AS-REQ it shows it is asking the ticket
    > be granted for 3 days. The AS-REP does not say what it gives the client.
    >
    > 192.168.243.10 = Windows KDC
    > 152.2.128.185 = Linux Red Hat 4 client
    >
    > Authentication Server Request from linux client:
    > -----------------------------------------------
    >
    > Frame 3 (318 bytes on wire, 318 bytes captured)
    > Arrival Time: Jan 18, 2007 08:29:46.268886000
    > [Time delta from previous packet: 3.145897000 seconds]
    > [Time since reference or first frame: 3.149358000 seconds]
    > Frame Number: 3
    > Packet Length: 318 bytes
    > Capture Length: 318 bytes
    > [Frame is marked: False]
    > [Protocols in frame: eth:ip:udp:kerberos]
    > Ethernet II, Src: Ibm_e1:d4:3a (00:02:55:e1:d4:3a), Dst:
    > FerranSc_0f:34:00 (00:d0:00:0f:34:00)
    > Destination: FerranSc_0f:34:00 (00:d0:00:0f:34:00)
    > Address: FerranSc_0f:34:00 (00:d0:00:0f:34:00)
    > .... ...0 .... .... .... .... = IG bit: Individual address
    > (unicast)
    > .... ..0. .... .... .... .... = LG bit: Globally unique address
    > (factory default)
    > Source: Ibm_e1:d4:3a (00:02:55:e1:d4:3a)
    > Address: Ibm_e1:d4:3a (00:02:55:e1:d4:3a)
    > .... ...0 .... .... .... .... = IG bit: Individual address
    > (unicast)
    > .... ..0. .... .... .... .... = LG bit: Globally unique address
    > (factory default)
    > Type: IP (0x0800)
    > Internet Protocol, Src: 152.2.128.185 (152.2.128.185), Dst:
    > 192.168.243.10 (192.168.243.10)
    > Version: 4
    > Header length: 20 bytes
    > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    > 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    > .... ..0. = ECN-Capable Transport (ECT): 0
    > .... ...0 = ECN-CE: 0
    > Total Length: 304
    > Identification: 0x995b (39259)
    > Flags: 0x04 (Don't Fragment)
    > 0... = Reserved bit: Not set
    > .1.. = Don't fragment: Set
    > ..0. = More fragments: Not set
    > Fragment offset: 0
    > Time to live: 64
    > Protocol: UDP (0x11)
    > Header checksum: 0xd3f2 [correct]
    > [Good: True]
    > [Bad : False]
    > Source: 152.2.128.185 (152.2.128.185)
    > Destination: 192.168.243.10 (192.168.243.10)
    > User Datagram Protocol, Src Port: 32779 (32779), Dst Port: kerberos (88)
    > Source port: 32779 (32779)
    > Destination port: kerberos (88)
    > Length: 284
    > Checksum: 0x6afb [correct]
    > Kerberos AS-REQ
    > Pvno: 5
    > MSG Type: AS-REQ (10)
    > padata: PA-ENC-TIMESTAMP
    > Type: PA-ENC-TIMESTAMP (2)
    > Value: 303DA003020117A2360434A68085CFFFD15AFA6F90023601.. .
    > rc4-hmac
    > Encryption type: rc4-hmac (23)
    > enc PA_ENC_TIMESTAMP:
    > A68085CFFFD15AFA6F900236015BB808DAA55E93C1EBFBC4.. .
    > KDC_REQ_BODY
    > Padding: 0
    > KDCOptions: 00800000 (Renewable)
    > .0.. .... .... .... .... .... .... .... = Forwardable: Do
    > NOT use forwardable tickets
    > ..0. .... .... .... .... .... .... .... = Forwarded: This is
    > NOT a forwarded ticket
    > ...0 .... .... .... .... .... .... .... = Proxyable: Do NOT
    > use proxiable tickets
    > .... 0... .... .... .... .... .... .... = Proxy: This ticket
    > has NOT been proxied
    > .... .0.. .... .... .... .... .... .... = Allow Postdate: We
    > do NOT allow the ticket to be postdated
    > .... ..0. .... .... .... .... .... .... = Postdated: This
    > ticket is NOT postdated
    > .... .... 1... .... .... .... .... .... = Renewable: This
    > ticket is RENEWABLE
    > .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
    > .... .... .... ..0. .... .... .... .... = Constrained
    > Delegation: This is a normal request (no constrained delegation)
    > .... .... .... ...0 .... .... .... .... = Canonicalize: This
    > is NOT a canonicalized ticket request
    > .... .... .... .... .... .... ..0. .... = Disable Transited
    > Check: Transited checking is NOT disabled
    > .... .... .... .... .... .... ...0 .... = Renewable OK: We
    > do NOT accept renewed tickets
    > .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey:
    > Do NOT encrypt the tkt inside the skey
    > .... .... .... .... .... .... .... ..0. = Renew: This is NOT
    > a request to renew a ticket
    > .... .... .... .... .... .... .... ...0 = Validate: This is
    > NOT a request to validate a postdated ticket
    > Client Name (Principal): sopko
    > Name-type: Principal (1)
    > Name: sopko
    > Realm: MSE.UNCCS.TEST
    > Server Name (Unknown): krbtgt/MSE.UNCCS.TEST
    > Name-type: Unknown (0)
    > Name: krbtgt
    > Name: MSE.UNCCS.TEST
    > from: 2007-01-18 13:29:43 (Z)
    > till: 2007-01-21 13:29:43 (Z)
    > rtime: 2007-02-01 13:29:43 (Z)
    > Nonce: 1169126986
    > Encryption Types: aes256-cts-hmac-sha1-96
    > aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5
    > des-cbc-md4
    > Encryption type: aes256-cts-hmac-sha1-96 (18)
    > Encryption type: aes128-cts-hmac-sha1-96 (17)
    > Encryption type: des3-cbc-sha1 (16)
    > Encryption type: rc4-hmac (23)
    > Encryption type: des-cbc-crc (1)
    > Encryption type: des-cbc-md5 (3)
    > Encryption type: des-cbc-md4 (2)
    >
    >
    >
    > Authentication Server Reply from Windows KDC:
    > ---------------------------------------------
    >
    > Frame 4 (1298 bytes on wire, 1298 bytes captured)
    > Arrival Time: Jan 18, 2007 08:29:46.272862000
    > [Time delta from previous packet: 0.003976000 seconds]
    > [Time since reference or first frame: 3.153334000 seconds]
    > Frame Number: 4
    > Packet Length: 1298 bytes
    > Capture Length: 1298 bytes
    > [Frame is marked: False]
    > [Protocols in frame: eth:ip:udp:kerberos]
    > Ethernet II, Src: FerranSc_0f:34:00 (00:d0:00:0f:34:00), Dst:
    > Ibm_e1:d4:3a (00:02:55:e1:d4:3a)
    > Destination: Ibm_e1:d4:3a (00:02:55:e1:d4:3a)
    > Address: Ibm_e1:d4:3a (00:02:55:e1:d4:3a)
    > .... ...0 .... .... .... .... = IG bit: Individual address
    > (unicast)
    > .... ..0. .... .... .... .... = LG bit: Globally unique address
    > (factory default)
    > Source: FerranSc_0f:34:00 (00:d0:00:0f:34:00)
    > Address: FerranSc_0f:34:00 (00:d0:00:0f:34:00)
    > .... ...0 .... .... .... .... = IG bit: Individual address
    > (unicast)
    > .... ..0. .... .... .... .... = LG bit: Globally unique address
    > (factory default)
    > Type: IP (0x0800)
    > Internet Protocol, Src: 192.168.243.10 (192.168.243.10), Dst:
    > 152.2.128.185 (152.2.128.185)
    > Version: 4
    > Header length: 20 bytes
    > Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    > 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    > .... ..0. = ECN-Capable Transport (ECT): 0
    > .... ...0 = ECN-CE: 0
    > Total Length: 1284
    > Identification: 0x91f6 (37366)
    > Flags: 0x00
    > 0... = Reserved bit: Not set
    > .0.. = Don't fragment: Not set
    > ..0. = More fragments: Not set
    > Fragment offset: 0
    > Time to live: 127
    > Protocol: UDP (0x11)
    > Header checksum: 0xd883 [correct]
    > [Good: True]
    > [Bad : False]
    > Source: 192.168.243.10 (192.168.243.10)
    > Destination: 152.2.128.185 (152.2.128.185)
    > User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32779 (32779)
    > Source port: kerberos (88)
    > Destination port: 32779 (32779)
    > Length: 1264
    > Checksum: 0x6096 [correct]
    > Kerberos AS-REP
    > Pvno: 5
    > MSG Type: AS-REP (11)
    > Client Realm: MSE.UNCCS.TEST
    > Client Name (Principal): sopko
    > Name-type: Principal (1)
    > Name: sopko
    > Ticket
    > Tkt-vno: 5
    > Realm: MSE.UNCCS.TEST
    > Server Name (Unknown): krbtgt/MSE.UNCCS.TEST
    > Name-type: Unknown (0)
    > Name: krbtgt
    > Name: MSE.UNCCS.TEST
    > enc-part rc4-hmac
    > Encryption type: rc4-hmac (23)
    > Kvno: 2
    > enc-part: AD62812D35283B38406555205797096C504ABA1437091AE2.. .
    > enc-part rc4-hmac
    > Encryption type: rc4-hmac (23)
    > Kvno: 9
    > enc-part: 13E0C1A48307F923FF4FBDF808DC3253F59C32A5739830A2.. .
    >
    > 4 packets captured



    --
    John W. Sopko Jr. University of North Carolina
    email: sopko AT cs.unc.edu Computer Science Dept., CB 3175
    Phone: 919-962-1844 Sitterson Hall; Room 044
    Fax: 919-962-1799 Chapel Hill, NC 27599-3175

  3. Re: Windows 2003 KDC -> linux tgt max lifetime

    Figured it out. I am not a Windows Sys admin, but learning.
    You have to right click the policy and select the "Enforce"
    setting to enforce the group policy. It is not recommended
    to make changes in the "Default Domain Policy" which was
    not enforced by default.

    So I created a new group policy object, edited the Kerberos
    settings, then set the enforce option on the object. I can
    now get tickets for whatever I set the times to <|:-)


    John W. Sopko Jr. wrote:
    > I installed the Windows resource kit tools on the W2k3 server
    > and ran the "kerbtray" command, it brings up a gui that shows
    > your ticket lifetime. It is still 10 hours not 120 hours which
    > I set it to.
    >
    > I also installed Mit's kfw 3.1 and obtained a ticket and it
    > was also for 10 hours even though I told it to get 2, 3 5
    > days etc.
    >
    > So the problem must be on the w2k3 side somewhere.
    >
    > John W. Sopko Jr. wrote:
    >> I have a Windows 2003 SP1 server. Using the W2k3 server to authenticate
    >> to linux Red Hat clients. Everything works but cannot increase the krbtgt
    >> ticket lifetime. Trying to increase krbtgt ticket lifetime from the
    >> default
    >> 10 hours to 120 hours. We need this for users who run long linux jobs
    >> that go several days.
    >>
    >> I researched and found that you need to change the Group Policy on the
    >> domain cotroller for the following settings that are under the "Windows
    >> Settings +Security Settings +Account Policies +Kerberos Policies". I
    >> did that:
    >>
    >> Policy Setting
    >>
    >> Enforce user login restrtictions Enbabled
    >> Maximum lifetime for service ticket 7200 minutes
    >> Maximum lifetime for user ticket 120 hours
    >> Maximum lifetime for user ticket renewal 10 days
    >> Maximum tolerance for computer clock 5 minutes
    >>
    >> On linux when I use "kinit -l 3d" I still only get a tgt good for 10
    >> hours. I rebooted the Windows machine and have waited several hours to
    >> try again. In Windows the krbtgt UPN is a special account. My guess is
    >> it still thinks the default tgt lifetime is 10 hours.
    >>
    >> Microsoft Knowledge Base says the special krbtgt account should not
    >> be changed/edited. They say the system occasionally changes the krbtgt
    >> password. If there was a way to force this it might fix the problem.
    >>
    >> Is there some Windows setting I am missing? Does Windows require
    >> some other option from kinit to get the tgt lifetime to work?
    >>
    >> I did a network trace from the linux client to the windows server over
    >> port 88 using "tshark -V port 88". This breaks down the networks frames
    >> very nicely. I can see my client request going to the Windows AD asking
    >> for a tgt for 3 days, not 10 hours. Below is the trace for the request
    >>
    >> Below is frame 3 and frame 4 trace tracing the "kinit -l 3d" command on
    >> the linux client. Frame 3 shows the Kerberos AS-REQ (Authentication
    >> Server
    >> Request) and frame 4 shows the AS-REP (Authentication Server Reply). If
    >> you search for "till:" in the AS-REQ it shows it is asking the ticket
    >> be granted for 3 days. The AS-REP does not say what it gives the client.
    >>
    >> 192.168.243.10 = Windows KDC
    >> 152.2.128.185 = Linux Red Hat 4 client
    >>
    >> Authentication Server Request from linux client:
    >> -----------------------------------------------
    >>
    >> Frame 3 (318 bytes on wire, 318 bytes captured)
    >> Arrival Time: Jan 18, 2007 08:29:46.268886000
    >> [Time delta from previous packet: 3.145897000 seconds]
    >> [Time since reference or first frame: 3.149358000 seconds]
    >> Frame Number: 3
    >> Packet Length: 318 bytes
    >> Capture Length: 318 bytes
    >> [Frame is marked: False]
    >> [Protocols in frame: eth:ip:udp:kerberos]
    >> Ethernet II, Src: Ibm_e1:d4:3a (00:02:55:e1:d4:3a), Dst:
    >> FerranSc_0f:34:00 (00:d0:00:0f:34:00)
    >> Destination: FerranSc_0f:34:00 (00:d0:00:0f:34:00)
    >> Address: FerranSc_0f:34:00 (00:d0:00:0f:34:00)
    >> .... ...0 .... .... .... .... = IG bit: Individual address
    >> (unicast)
    >> .... ..0. .... .... .... .... = LG bit: Globally unique
    >> address (factory default)
    >> Source: Ibm_e1:d4:3a (00:02:55:e1:d4:3a)
    >> Address: Ibm_e1:d4:3a (00:02:55:e1:d4:3a)
    >> .... ...0 .... .... .... .... = IG bit: Individual address
    >> (unicast)
    >> .... ..0. .... .... .... .... = LG bit: Globally unique
    >> address (factory default)
    >> Type: IP (0x0800)
    >> Internet Protocol, Src: 152.2.128.185 (152.2.128.185), Dst:
    >> 192.168.243.10 (192.168.243.10)
    >> Version: 4
    >> Header length: 20 bytes
    >> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    >> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    >> .... ..0. = ECN-Capable Transport (ECT): 0
    >> .... ...0 = ECN-CE: 0
    >> Total Length: 304
    >> Identification: 0x995b (39259)
    >> Flags: 0x04 (Don't Fragment)
    >> 0... = Reserved bit: Not set
    >> .1.. = Don't fragment: Set
    >> ..0. = More fragments: Not set
    >> Fragment offset: 0
    >> Time to live: 64
    >> Protocol: UDP (0x11)
    >> Header checksum: 0xd3f2 [correct]
    >> [Good: True]
    >> [Bad : False]
    >> Source: 152.2.128.185 (152.2.128.185)
    >> Destination: 192.168.243.10 (192.168.243.10)
    >> User Datagram Protocol, Src Port: 32779 (32779), Dst Port: kerberos (88)
    >> Source port: 32779 (32779)
    >> Destination port: kerberos (88)
    >> Length: 284
    >> Checksum: 0x6afb [correct]
    >> Kerberos AS-REQ
    >> Pvno: 5
    >> MSG Type: AS-REQ (10)
    >> padata: PA-ENC-TIMESTAMP
    >> Type: PA-ENC-TIMESTAMP (2)
    >> Value: 303DA003020117A2360434A68085CFFFD15AFA6F90023601.. .
    >> rc4-hmac
    >> Encryption type: rc4-hmac (23)
    >> enc PA_ENC_TIMESTAMP:
    >> A68085CFFFD15AFA6F900236015BB808DAA55E93C1EBFBC4.. .
    >> KDC_REQ_BODY
    >> Padding: 0
    >> KDCOptions: 00800000 (Renewable)
    >> .0.. .... .... .... .... .... .... .... = Forwardable: Do
    >> NOT use forwardable tickets
    >> ..0. .... .... .... .... .... .... .... = Forwarded: This
    >> is NOT a forwarded ticket
    >> ...0 .... .... .... .... .... .... .... = Proxyable: Do
    >> NOT use proxiable tickets
    >> .... 0... .... .... .... .... .... .... = Proxy: This
    >> ticket has NOT been proxied
    >> .... .0.. .... .... .... .... .... .... = Allow Postdate:
    >> We do NOT allow the ticket to be postdated
    >> .... ..0. .... .... .... .... .... .... = Postdated: This
    >> ticket is NOT postdated
    >> .... .... 1... .... .... .... .... .... = Renewable: This
    >> ticket is RENEWABLE
    >> .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
    >> .... .... .... ..0. .... .... .... .... = Constrained
    >> Delegation: This is a normal request (no constrained delegation)
    >> .... .... .... ...0 .... .... .... .... = Canonicalize:
    >> This is NOT a canonicalized ticket request
    >> .... .... .... .... .... .... ..0. .... = Disable
    >> Transited Check: Transited checking is NOT disabled
    >> .... .... .... .... .... .... ...0 .... = Renewable OK: We
    >> do NOT accept renewed tickets
    >> .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey:
    >> Do NOT encrypt the tkt inside the skey
    >> .... .... .... .... .... .... .... ..0. = Renew: This is
    >> NOT a request to renew a ticket
    >> .... .... .... .... .... .... .... ...0 = Validate: This
    >> is NOT a request to validate a postdated ticket
    >> Client Name (Principal): sopko
    >> Name-type: Principal (1)
    >> Name: sopko
    >> Realm: MSE.UNCCS.TEST
    >> Server Name (Unknown): krbtgt/MSE.UNCCS.TEST
    >> Name-type: Unknown (0)
    >> Name: krbtgt
    >> Name: MSE.UNCCS.TEST
    >> from: 2007-01-18 13:29:43 (Z)
    >> till: 2007-01-21 13:29:43 (Z)
    >> rtime: 2007-02-01 13:29:43 (Z)
    >> Nonce: 1169126986
    >> Encryption Types: aes256-cts-hmac-sha1-96
    >> aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5
    >> des-cbc-md4
    >> Encryption type: aes256-cts-hmac-sha1-96 (18)
    >> Encryption type: aes128-cts-hmac-sha1-96 (17)
    >> Encryption type: des3-cbc-sha1 (16)
    >> Encryption type: rc4-hmac (23)
    >> Encryption type: des-cbc-crc (1)
    >> Encryption type: des-cbc-md5 (3)
    >> Encryption type: des-cbc-md4 (2)
    >>
    >>
    >>
    >> Authentication Server Reply from Windows KDC:
    >> ---------------------------------------------
    >>
    >> Frame 4 (1298 bytes on wire, 1298 bytes captured)
    >> Arrival Time: Jan 18, 2007 08:29:46.272862000
    >> [Time delta from previous packet: 0.003976000 seconds]
    >> [Time since reference or first frame: 3.153334000 seconds]
    >> Frame Number: 4
    >> Packet Length: 1298 bytes
    >> Capture Length: 1298 bytes
    >> [Frame is marked: False]
    >> [Protocols in frame: eth:ip:udp:kerberos]
    >> Ethernet II, Src: FerranSc_0f:34:00 (00:d0:00:0f:34:00), Dst:
    >> Ibm_e1:d4:3a (00:02:55:e1:d4:3a)
    >> Destination: Ibm_e1:d4:3a (00:02:55:e1:d4:3a)
    >> Address: Ibm_e1:d4:3a (00:02:55:e1:d4:3a)
    >> .... ...0 .... .... .... .... = IG bit: Individual address
    >> (unicast)
    >> .... ..0. .... .... .... .... = LG bit: Globally unique
    >> address (factory default)
    >> Source: FerranSc_0f:34:00 (00:d0:00:0f:34:00)
    >> Address: FerranSc_0f:34:00 (00:d0:00:0f:34:00)
    >> .... ...0 .... .... .... .... = IG bit: Individual address
    >> (unicast)
    >> .... ..0. .... .... .... .... = LG bit: Globally unique
    >> address (factory default)
    >> Type: IP (0x0800)
    >> Internet Protocol, Src: 192.168.243.10 (192.168.243.10), Dst:
    >> 152.2.128.185 (152.2.128.185)
    >> Version: 4
    >> Header length: 20 bytes
    >> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    >> 0000 00.. = Differentiated Services Codepoint: Default (0x00)
    >> .... ..0. = ECN-Capable Transport (ECT): 0
    >> .... ...0 = ECN-CE: 0
    >> Total Length: 1284
    >> Identification: 0x91f6 (37366)
    >> Flags: 0x00
    >> 0... = Reserved bit: Not set
    >> .0.. = Don't fragment: Not set
    >> ..0. = More fragments: Not set
    >> Fragment offset: 0
    >> Time to live: 127
    >> Protocol: UDP (0x11)
    >> Header checksum: 0xd883 [correct]
    >> [Good: True]
    >> [Bad : False]
    >> Source: 192.168.243.10 (192.168.243.10)
    >> Destination: 152.2.128.185 (152.2.128.185)
    >> User Datagram Protocol, Src Port: kerberos (88), Dst Port: 32779 (32779)
    >> Source port: kerberos (88)
    >> Destination port: 32779 (32779)
    >> Length: 1264
    >> Checksum: 0x6096 [correct]
    >> Kerberos AS-REP
    >> Pvno: 5
    >> MSG Type: AS-REP (11)
    >> Client Realm: MSE.UNCCS.TEST
    >> Client Name (Principal): sopko
    >> Name-type: Principal (1)
    >> Name: sopko
    >> Ticket
    >> Tkt-vno: 5
    >> Realm: MSE.UNCCS.TEST
    >> Server Name (Unknown): krbtgt/MSE.UNCCS.TEST
    >> Name-type: Unknown (0)
    >> Name: krbtgt
    >> Name: MSE.UNCCS.TEST
    >> enc-part rc4-hmac
    >> Encryption type: rc4-hmac (23)
    >> Kvno: 2
    >> enc-part: AD62812D35283B38406555205797096C504ABA1437091AE2.. .
    >> enc-part rc4-hmac
    >> Encryption type: rc4-hmac (23)
    >> Kvno: 9
    >> enc-part: 13E0C1A48307F923FF4FBDF808DC3253F59C32A5739830A2.. .
    >>
    >> 4 packets captured

    >
    >



    --
    John W. Sopko Jr. University of North Carolina
    email: sopko AT cs.unc.edu Computer Science Dept., CB 3175
    Phone: 919-962-1844 Sitterson Hall; Room 044
    Fax: 919-962-1799 Chapel Hill, NC 27599-3175

+ Reply to Thread