[32142] in Kerberos
max ticket/renew appears to not work in 1.7.1?
daemon@ATHENA.MIT.EDU (Kevin Longfellow)
Mon Mar 15 10:23:08 2010
Message-ID: <187655.85206.qm@web53506.mail.re2.yahoo.com>
Date: Mon, 15 Mar 2010 07:23:01 -0700 (PDT)
From: Kevin Longfellow <klongfel@yahoo.com>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
We are working on setting up a very large Kerberos environment and recently changed to 1.7.1 with a ldap back end for our testing. Since two things changed from our previous test environment, I'm not sure what might be the cause of user tickets not getting the requested max lifetime and max renewable? Our previous test environment was 1.7 with the local database option.
I'll try and list some things that might be relevant:
kadmin.local: getprinc krbtgt/DEV.COMPANY.COM@DEV.COMPANY.COM
Principal: krbtgt/DEV.COMPANY.COM@DEV.COMPANY.COM
Expiration date: [never]
Last password change: [never]
Password expiration date: [none]
Maximum ticket life: 90 days 00:00:00
Maximum renewable life: 90 days 00:00:00
Last modified: Tue Mar 09 13:49:21 PST 2010 (root/admin@DEV.COMPANY.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, Version 5
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, Version 5
Key: vno 1, Triple DES cbc mode with HMAC/sha1, Version 5
Key: vno 1, ArcFour with HMAC/md5, Version 5
MKey: vno 1
Attributes:
Policy: [none]
[klongfel@klongfel-ovs3 ~]$ kinit -l 90d -r 90d
Password for klongfel@DEV.COMPANY.COM:
[klongfel@klongfel-ovs3 ~]$ klist -face
Ticket cache: FILE:/tmp/krb5cc_16620
Default principal: klongfel@DEV.COMPANY.COM
Valid starting Expires Service principal
03/15/10 10:11:06 03/16/10 10:11:06 krbtgt/DEV.COMPANY.COM@DEV.COMPANY.COM
renew until 03/22/10 10:11:06, Flags: RI
Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
Addresses: (none)
Kerberos 4 ticket cache: /tmp/tkt16620
klist: You have no tickets cached
kadmin.local: getprinc klongfel
Principal: klongfel@DEV.COMPANY.COM
Expiration date: [never]
Last password change: Thu Mar 11 12:45:54 PST 2010
Password expiration date: [none]
Maximum ticket life: 90 days 00:00:00
Maximum renewable life: 90 days 00:00:00
Last modified: Thu Mar 11 12:45:54 PST 2010 (root/admin@DEV.COMPANY.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DES cbc mode with CRC-32, Version 5
MKey: vno 1
Attributes:
Policy: [none]
[kdcdefaults]
kdc_ports = 750,88
clockskew = 3600
[realms]
DEV.COMPANY.COM = {
acl_file = /opt/krb5_local/var/krb5kdc/kadm5.acl
kdc_ports = 750,88
max_life = 90d 0h 0m 0s
max_renewable_life = 90d 0h 0m 0s
}
What am I missing, can check, or read to ensure we can get higher ticket and renew lifetimes?
Thanks for any help with this,
Kevin
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
