[11653] in Kerberos-V5-bugs
Re: [krbdev.mit.edu #6759] problem with renewing ticket. valid
daemon@ATHENA.MIT.EDU (Антон via RT)
Mon Aug 23 02:56:11 2010
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Антон via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6759@krbdev.mit.edu>
Message-ID: <rt-6759-33077.0.390155976722397@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6759'":;"'AdminCc of krbdev.mit.edu Ticket #6759'":;@MIT.EDU
Date: Mon, 23 Aug 2010 02:56:09 -0400 (EDT)
Reply-To: rt-comment@krbdev.MIT.EDU
Content-Type: multipart/mixed; boundary="===============0311026952=="
Errors-To: krb5-bugs-bounces@mit.edu
--===============0311026952==
well. i just fixed this.
i found that K/M and krbtgt principals have
krbMaxRenewableAge = 0
after
kadmin.local: modprinc -maxrenewlife "1 week" K/M
kadmin.local: modprinc -maxrenewlife "1 week" rkbtgt@DOMAIN.MY
tickets have 1 week renewing period.
2010/8/20 krb5 <rt@krbdev.mit.edu>
>
> i have krb5 kdc server with ldap backend.
> when i try to renew tiket i get:
> $ kinit -R
> kinit(v5): Ticket expired while renewing credentials
>
> $ kinit -r 7d -l 2d
> Password for f_anton@DOMAIN.MY:
> $ klist -f
> Ticket cache: FILE:/tmp/krb5cc_1013_s1kvrE
> Default principal: f_anton@DOMAIN.MY
>
> Valid starting Expires Service principal
> *08/20/10 19:54:27* 08/21/10 19:54:27 krbtgt/DOMAIN.MY@DOMAIN.MY
> renew until *08/20/10 19:54:27*, Flags: RI
>
> Valid starting = renew until.
>
>
> in kadmin.local:
> kadmin.local: getprinc f_anton
> [..]
> Maximum ticket life: 2 days 00:00:00
> Maximum renewable life: 28 days 00:00:00
> [..]
> Attributes:
> Policy: default
> kadmin.local: getpol default
> Policy: default
> Maximum password life: 157766400
> Minimum password life: 86400
> Minimum password length: 6
> Minimum number of password character classes: 2
> Number of old keys kept: 3
> Reference count: 2
>
>
> ==========
> kdc.conf:
>
> [realms]
> DOMAIN.MY = {
> master_key_type = des-cbc-crc
> supported_enctypes = rc4-hmac:normal des-cbc-crc:normal
> des3-cbc-raw:normal des3-cbc-sha1:normal des-cbc-crc:afs3
> max_renewable_life = 7d 0h 0m 0s
> max_life = 2d 0h 0m 0s
> default_principal_flags = +renewable
> krbMaxTicketLife = 172800
> krbMaxRenewableAge = 604800
> }
>
> ==========
> krb5.conf:
>
> [libdefaults]
> default_realm = DOMAIN.MY
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 2d
> renew_lifetime = 7d
>
> [dbdefaults]
> ldap_kerberos_container_dn = "cn=kerberos,ou=kdcroot,dc=domain,dc=my"
>
> [dbmodules]
> domain.my = {
> db_library = kldap
> ldap_kdc_dn = cn=kdc,ou=kdcroot,dc=domain,dc=my
> ldap_kadmind_dn = cn=kadmin,ou=kdcroot,dc=domain,dc=my
> ldap_service_password_file = /var/lib/kerberos/krb5kdc/domain.my.ldapkey
> ldap_servers = ldap://localhost/
> ldap_conns_per_server = 15
> }
>
> [realms]
> DOMAIN.MY = {
> database_module = domain.my
> admin_server = server6.domain.my
> default_domain = domain.my
> kdc = server7.domain.my
> kdc = server6.domain.my
> krbMaxTicketLife = 172800
> krbMaxRenewableAge = 604800
> }
> =============
>
> # rpm -qa '*krb*'
> libkrb5-1.6.3-alt9
> libkrb5-devel-1.6.3-alt9
> krb5-ticket-watcher-1.0.2-alt3
> krb5-kinit-1.6.3-alt9
> krb5-kadmin-1.6.3-alt9
> krb5-server-1.6.3-alt9
> krb5-services-1.6.3-alt9
> krb5-kdc-1.6.3-alt9
> libkrb5-ldap-1.6.3-alt9
> pam_krb5-3.13-alt1
>
>
--
С уважением, Антон.
--===============0311026952==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
--===============0311026952==--
