On Mon, 2004-10-25 at 13:13, Phil Dibowitz wrote:
> On Mon, Oct 25, 2004 at 04:07:43PM -0400, Rachel Elizabeth Dillon wrote:
> > Do you have something like this in /etc/krb5kdc/kdc.conf (or wherever
> > your kdc configuration files live) :
> >
> > max_renewable_life = 7d 0h 0m 0s
>
> Yup - from my original post:
>
> My kdc.conf has (among other things):
>
> max_life = 10h 0m 0s
> max_renewable_life = 7d 0h 0m 0s
> default_principal_flags = +forwardable,+renewable
>
> > ? I don't have anything in my /etc/krb5.conf about renewable times,
> > and I can kinit -R successfully. Other than that my configuration is
>
> I wouldn't think anything would be needed in krb5.conf either, but I was
> desperate.
>
> > out of the box MIT Kerberos, at least with regard to renewable tickets.
> > Were I on your position, I would try taking out all of the extra lines
> > about renewable tickets, restart everything, and try again; I think
> > renewable tickets work by default, based on the documentation I just
> > went and glanced at.
>
> I did. I stripped krb5.conf down and tried again... same thing.
Try adding this small patch to your krb5 distribution -- it enables
kinit to look up default values for lifetime, renew lifetime, and
forwardable from the kinit and libdefaults sections.
--
Eric Andresen
Systems Administrator
Mars Space Flight Facility
Arizona State University
[EMAIL PROTECTED]
(480) 727-8471
diff -ur krb5-1.3.1-orig/src/clients/kinit/kinit.c krb5-1.3.1/src/clients/kinit/kinit.c
--- krb5-1.3.1-orig/src/clients/kinit/kinit.c 2003-06-05 18:26:45.000000000 -0700
+++ krb5-1.3.1/src/clients/kinit/kinit.c 2004-06-11 11:06:51.000000000 -0700
@@ -749,6 +749,49 @@
initialized.
*/
+ if (opts->lifetime == 0) {
+ /*
+ * If we weren't given a lifetime on the command line, get the
+ * one out of appdefaults
+ */
+
+ char *lifetime = NULL;
+
+ krb5_appdefault_string(k5->ctx, "kinit",
+ krb5_princ_realm(k5->ctx, k5->me),
+ "ticket_lifetime", "", &lifetime);
+
+ if (lifetime && *lifetime)
+ krb5_string_to_deltat(lifetime, &opts->lifetime);
+ }
+
+ if (opts->rlife == 0) {
+ /*
+ * If we weren't given a renew lifetime on the command line, get the
+ * one out of appdefaults
+ */
+
+ char *lifetime = NULL;
+
+ krb5_appdefault_string(k5->ctx, "kinit",
+ krb5_princ_realm(k5->ctx, k5->me),
+ "renew_lifetime", "", &lifetime);
+
+ if (lifetime && *lifetime)
+ krb5_string_to_deltat(lifetime, &opts->rlife);
+ }
+
+ if (opts->forwardable == 0 && opts->not_forwardable == 0) {
+ /*
+ * If we weren't given an option, then check for it in appdefaults
+ */
+
+ krb5_appdefault_boolean(k5->ctx, "kinit",
+ krb5_princ_realm(k5->ctx, k5->me),
+ "forwardable", opts->forwardable,
+ &opts->forwardable);
+ }
+
if (opts->lifetime)
krb5_get_init_creds_opt_set_tkt_life(&options, opts->lifetime);
if (opts->rlife)
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
