[37208] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Unable to create renewable ticket when we switched to a 1.12 KDC

daemon@ATHENA.MIT.EDU (Benjamin Kaduk)
Thu Aug 27 22:36:54 2015

Date: Thu, 27 Aug 2015 22:36:32 -0400 (EDT)
From: Benjamin Kaduk <kaduk@mit.edu>
To: Ishaan Joshi <ishaan@cloudera.com>
In-Reply-To: <CAPACEZCCrru7BywDMLH6mUK3H8YNjG5EqTRJjhYUH2UW81QTog@mail.gmail.com>
Message-ID: <alpine.GSO.1.10.1508272234220.26829@multics.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Hi Ishaan,

Russ's comments are almost certainly most relevant to your operational
situation, but for completeness, a couple more answers inline.

On Fri, 21 Aug 2015, Ishaan Joshi wrote:

>    Thanks a bunch for the quick responses. Let me restate the problem we
> faced ( which is exactly what Ben described):
>
>     Our earlier behaviour was to issue the following kinit to periodically
> renew our daemon's ticket: "kinit -r <time_string> -k -t <keytab>
> <service_name>". The time_string was hard coded to a day. The renewal time
> was controlled by another option that was passed in.
>
>     When we first ran against a 1.12 KDC, the ticket became non renewable
> because the hard coded value for time_string happened to be equal to the
> ticket_lifetime in the krb5.conf.
>
>    I have a few follow on questions:
>
>    - Can I assume that our previous behaviour was incorrect, and we just
>    got lucky because it was not enforced.

This is a little bit of a grey area in the specification; there's no need
for the issued ticket to be renewable if the renewable lifetime is less
than or equal to the issued lifetime, and whether the KDC chooses to set
the flag is largely an implementation choice.

>    - Do we need to use the -r flag, given that the ticket is renewed
>    periodically.

In this situation, no; using the -r flag is only relevant if you want to
later utilize "kinit -R" to actually renew the ticket.

>    - Are there any risks to passing in a value via -l on older KDCs, apart
>    from overriding the value in the krb5.conf.

No.

-Ben
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post