[32262] in Kerberos
Re: no renewable flag in krb5.conf ?
daemon@ATHENA.MIT.EDU (Russ Allbery)
Tue Apr 13 14:23:47 2010
From: Russ Allbery <rra@stanford.edu>
To: Guillaume Rousse <Guillaume.Rousse@inria.fr>
In-Reply-To: <4BC45C3E.8010708@inria.fr> (Guillaume Rousse's message of "Tue,
13 Apr 2010 13:57:50 +0200")
Date: Tue, 13 Apr 2010 11:23:42 -0700
Message-ID: <87r5mj43f5.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Guillaume Rousse <Guillaume.Rousse@inria.fr> writes:
> I just realized than it was possible to force forwardable tickets
> through krb5.conf, but not renewable ones. Is it intentional ?
> For instance, the following doesn't work as expected:
> [appdefaults]
> pam = {
> forwardable = true
> renewable = true
> }
I assume that you're using my PAM module here, since I think it's the only
one that looks at [appdefaults].pam. (I could be wrong, though; maybe the
Red Hat one does as well.) Anyway, for mine, you want to use
renew_lifetime, not renewable:
renew_lifetime=<lifetime>
Obtain renewable tickets with a maximum renewable lifetime of
<lifetime>. <lifetime> should be a Kerberos lifetime string such
as "2d4h10m" or a time in minutes. If set, this overrides the
Kerberos library default set in the [libdefaults] section of
krb5.conf.
This option can be set in krb5.conf and is only applicable to the
auth group.
Or as mentioned you can also set this in [libdefaults], where it will also
affect kinit and similar programs as well as the PAM module.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
