Package: krb5-kdc Version: 1.4.4-7etch5 Severity: important
Regardless of principal settings, and /etc/krb5kdc/kdc.conf configuration, maximum ticket life is not granted beyond 10 hours time. Maximum renewable life is always the time the ticket was issued. This prevents users from renewing their tickets (kinit -R). I have another KDC, and another realm, running krb5-kdc 1.4.4-7etch5 on i386 which does not have this problem. A bit more interesting is that in early testing I was not able to get a maximum ticket life beyond 9 hours. Any attempt to get a ticket with a longer life would give me tickets that expired at exactly their time of issuance. I was not able to reproduce this particular symptom during later testing, which makes me a bit nervous as the behavior seems a bit erratic. Included is some information about the principal and a couple attempts at getting tickets issued with different life/renewal settings. kadmin.local: getprinc someuser Principal: [EMAIL PROTECTED] Expiration date: [never] Last password change: Fri May 02 02:26:17 PDT 2008 Password expiration date: Wed Oct 29 02:26:17 PDT 2008 Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 2 days 00:00:00 Last modified: Fri May 02 02:54:27 PDT 2008 (someuser/[EMAIL PROTECTED]) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 6 Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 2, DES cbc mode with CRC-32, no salt Key: vno 2, DES cbc mode with RSA-MD5, Version 4 Key: vno 2, DES cbc mode with RSA-MD5, Version 5 - No Realm Key: vno 2, DES cbc mode with RSA-MD5, Version 5 - Realm Only Key: vno 2, DES cbc mode with RSA-MD5, AFS version 3 Attributes: REQUIRES_PRE_AUTH Policy: default [EMAIL PROTECTED]:~$ kinit Password for [EMAIL PROTECTED]: [EMAIL PROTECTED]:~$ klist Ticket cache: FILE:/tmp/krb5cc_1039 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 05/02/08 02:51:39 05/02/08 12:51:39 krbtgt/[EMAIL PROTECTED] renew until 05/02/08 02:51:39 Kerberos 4 ticket cache: /tmp/tkt1039 klist: You have no tickets cached [EMAIL PROTECTED]:~$ kinit -R kinit(v5): Ticket expired while renewing credentials [EMAIL PROTECTED]:~$ [EMAIL PROTECTED]:~$ kinit -l 9h -r 9h Password for [EMAIL PROTECTED]: [EMAIL PROTECTED]:~$ klist Ticket cache: FILE:/tmp/krb5cc_1039 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 05/02/08 02:52:36 05/02/08 11:52:33 krbtgt/[EMAIL PROTECTED] renew until 05/02/08 02:52:36 Kerberos 4 ticket cache: /tmp/tkt1039 klist: You have no tickets cached [EMAIL PROTECTED]:~$ kinit -R kinit(v5): Ticket expired while renewing credentials [EMAIL PROTECTED]:~$ kinit -l 14h -r 24h Password for [EMAIL PROTECTED]: [EMAIL PROTECTED]:~$ klist -f Ticket cache: FILE:/tmp/krb5cc_1039 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 05/02/08 02:57:12 05/02/08 12:57:12 krbtgt/[EMAIL PROTECTED] renew until 05/02/08 02:57:12, Flags: FPRIA Kerberos 4 ticket cache: /tmp/tkt1039 klist: You have no tickets cached -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-5-amd64 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages krb5-kdc depends on: ii deb 1.5.11etch1 Debian configuration management sy ii krb 1.4.4-7etch5 Basic programs to authenticate usi ii lib 2.3.6.ds1-13etch5 GNU C Library: Shared libraries ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library ii lib 1.4.4-7etch5 MIT Kerberos administration runtim ii lib 1.4.4-7etch5 MIT Kerberos runtime libraries ii lsb 3.1-23.2etch1 Linux Standard Base 3.1 init scrip ii net 4.29 Basic TCP/IP networking system krb5-kdc recommends no packages. -- debconf information: krb5-kdc/debconf: true krb5-kdc/krb4-mode: none krb5-kdc/run-krb524: true krb5-kdc/purge_data_too: false -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]