Edward Roper <[EMAIL PROTECTED]> writes: > Package: krb5-kdc > Version: 1.4.4-7etch5 > Severity: important > > Regardless of principal settings, and /etc/krb5kdc/kdc.conf > configuration, maximum ticket life is not granted beyond 10 hours time. > Maximum renewable life is always the time the ticket was issued.
I'm getting a 25 hour ticket lifetime using code that's essentially the same as that version in etch, so I'm fairly sure this is a configuration problem. We just have to track down what the configuration problem is. > Included is some information about the principal and a couple attempts > at getting tickets issued with different life/renewal settings. > > kadmin.local: getprinc someuser > Principal: [EMAIL PROTECTED] > Expiration date: [never] > Last password change: Fri May 02 02:26:17 PDT 2008 > Password expiration date: Wed Oct 29 02:26:17 PDT 2008 > Maximum ticket life: 1 day 00:00:00 > Maximum renewable life: 2 days 00:00:00 > Last modified: Fri May 02 02:54:27 PDT 2008 (someuser/[EMAIL PROTECTED]) > Last successful authentication: [never] > Last failed authentication: [never] > Failed password attempts: 0 > Number of keys: 6 > Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt > Key: vno 2, DES cbc mode with CRC-32, no salt > Key: vno 2, DES cbc mode with RSA-MD5, Version 4 > Key: vno 2, DES cbc mode with RSA-MD5, Version 5 - No Realm > Key: vno 2, DES cbc mode with RSA-MD5, Version 5 - Realm Only > Key: vno 2, DES cbc mode with RSA-MD5, AFS version 3 > Attributes: REQUIRES_PRE_AUTH > Policy: default The key information that you don't include is your kdc.conf file and the getprinc output for the krbtgt/SOME.REALM.COM principal. The KDC cannot hand out tickets with a longer lifetime than the lifetime of the krbtgt principal; that's the most common configuration mistake that causes this. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
