[37195] in Kerberos
Re: Unable to create renewable ticket when we switched to a 1.12 KDC
daemon@ATHENA.MIT.EDU (Ishaan Joshi)
Fri Aug 21 15:07:04 2015
MIME-Version: 1.0
In-Reply-To: <55D6B26A.5060003@mit.edu>
Date: Fri, 21 Aug 2015 11:51:53 -0700
Message-ID: <CAPACEZCCrru7BywDMLH6mUK3H8YNjG5EqTRJjhYUH2UW81QTog@mail.gmail.com>
From: Ishaan Joshi <ishaan@cloudera.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Ben, Greg,
Thanks a bunch for the quick responses. Let me restate the problem we
faced ( which is exactly what Ben described):
Our earlier behaviour was to issue the following kinit to periodically
renew our daemon's ticket: "kinit -r <time_string> -k -t <keytab>
<service_name>". The time_string was hard coded to a day. The renewal time
was controlled by another option that was passed in.
When we first ran against a 1.12 KDC, the ticket became non renewable
because the hard coded value for time_string happened to be equal to the
ticket_lifetime in the krb5.conf.
I have a few follow on questions:
- Can I assume that our previous behaviour was incorrect, and we just
got lucky because it was not enforced.
- Do we need to use the -r flag, given that the ticket is renewed
periodically.
- Are there any risks to passing in a value via -l on older KDCs, apart
from overriding the value in the krb5.conf.
Thanks !
Ishaan
On Thu, Aug 20, 2015 at 10:08 PM, Greg Hudson <ghudson@mit.edu> wrote:
> On 08/20/2015 11:45 PM, Benjamin Kaduk wrote:
> >> We recently ran into a problem wherein the tickets for out service
> could
> >> not be renewed. After a lot of digging, we traced the change in
> behaviour
> >
> > Can you say more about the problematic behavior you were experiencing?
> My
> > understanding is that the commit you link to was not expected to result
> in
> > any noticable decrease in functionality, so it would be helpful to
> > understand what actually happened.
>
> I think the issue is that if you do something like:
>
> kinit -l 1d -r 1d princname
>
> you no longer get a renewable ticket. Then, when you go to renew the
> ticket, you get an error. Although there's no practical reason (that I
> know of) to renew tickets without extending their lifetimes, I could see
> this situation arising as an edge case in some kinds of scripts. I
> didn't anticipate that possibility when making the KDC change in 1.12.
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
