[37599] in Kerberos
max_life problem
daemon@ATHENA.MIT.EDU (=?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGA)
Mon Aug 1 11:13:18 2016
MIME-Version: 1.0
From: =?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGAINCR0LDRgNCw0L3QuNC9?=
<avbaranin@gmail.com>
Date: Mon, 1 Aug 2016 11:29:15 +0300
Message-ID: <CACjhFAm1ZZNOS+h-K_Hfcb-qxpAvmHx-TNPvcveF+sEv83tfOg@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello!
I use mit kerberos, version krb5-1.14.2, compiled from source.
And I can't to force kdc to issue tickets for more than 10 hours.
This is part of my krb5.conf:
[libdefaults]
default_realm = ALFA.IT
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_canonicalize_hostname = false
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
ticket_lifetime = 1d 0h 0m 0s
renew_lifetime = 14d 1h 0m 0s
This is part of my kdc.conf:
[realms]
ALFA.IT = {
database_module = LDAP
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 1d 0h 0m 0s
max_renewable_life = 14d 1h 0m 0s
Here are my tests:
root@debian:/etc/krb5kdc# kinit -l "9h"
Password for root@ALFA.IT:
root@debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@ALFA.IT
Valid starting Expires Service principal
08/01/2016 11:19:12 08/01/2016 20:19:12 krbtgt/ALFA.IT@ALFA.IT
renew until 08/08/2016 11:19:12
Ticket is ok and is for 9 hours.
root@debian:/etc/krb5kdc# kdestroy
Trying to get a ticket for 12 hours.
root@debian:/etc/krb5kdc# kinit -l "12h"
Password for root@ALFA.IT:
root@debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@ALFA.IT
Valid starting Expires Service principal
08/01/2016 11:19:39 08/01/2016 21:19:39 krbtgt/ALFA.IT@ALFA.IT
renew until 08/08/2016 11:19:39
Now we see what ticket issued by kdc is for 10 hours only.
root@debian:/etc/krb5kdc# kdestroy
Now trying to get ticket for 1 day:
root@debian:/etc/krb5kdc# kinit -l "1d"
Password for root@ALFA.IT:
root@debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@ALFA.IT
Valid starting Expires Service principal
08/01/2016 11:19:53 08/01/2016 21:19:53 krbtgt/ALFA.IT@ALFA.IT
renew until 08/08/2016 11:19:53
Ticket obtained is for 10 hours too.
I used different to set time in different units (24h,1440m, etc) in kdc and
client libraries configs, but result was the same - I can get TGT for 10
hours only.
What's wrong?
Is it kerberos bug or bug in configuration?
Please, help!
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
