Re: max_life problem

2016-08-05 Thread Александр Баранин 
Yes, you are right.
But In my case I used compilation from source code.
But at the moment of realm creation the limit 10h was in my kdc.conf. So
this limit was copied to principal krbtgt.

2016-08-02 22:56 GMT+03:00 Benjamin Kaduk :

> On Mon, 1 Aug 2016, Greg Hudson wrote:
>
> > On 08/01/2016 04:29 AM, Александр Баранин wrote:
> > > I use mit kerberos, version krb5-1.14.2, compiled from source.
> > > And I can't to force kdc to issue tickets for more than 10 hours.
> >
> > In addition to the realm setting, the client and server entries in the
> > KDC database can also have a max_life value.  Using "getprinc" in
> > kadmin, look at the "Maximum ticket life" on the user principal and on
> > krbtgt/ALFA.IT.  Are either of them ten hours?  If so, you can change
> > them with "modprinc -maxlife".
>
> (It looks like this is on a Debian system, so I'll note that the debian
> krb5-kdc package will create a kdc.conf that has max_life 10 hours on
> first installation.  So, principals created when such a kdc.conf was in
> place would be affected by it.)
>
> -Ben

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: max_life problem

2016-08-02 Thread Benjamin Kaduk 
On Mon, 1 Aug 2016, Greg Hudson wrote:

> On 08/01/2016 04:29 AM, Александр Баранин wrote:
> > I use mit kerberos, version krb5-1.14.2, compiled from source.
> > And I can't to force kdc to issue tickets for more than 10 hours.
>
> In addition to the realm setting, the client and server entries in the
> KDC database can also have a max_life value.  Using "getprinc" in
> kadmin, look at the "Maximum ticket life" on the user principal and on
> krbtgt/ALFA.IT.  Are either of them ten hours?  If so, you can change
> them with "modprinc -maxlife".

(It looks like this is on a Debian system, so I'll note that the debian
krb5-kdc package will create a kdc.conf that has max_life 10 hours on
first installation.  So, principals created when such a kdc.conf was in
place would be affected by it.)

-Ben
Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: max_life problem

2016-08-01 Thread Greg Hudson 
On 08/01/2016 04:29 AM, Александр Баранин wrote:
> I use mit kerberos, version krb5-1.14.2, compiled from source.
> And I can't to force kdc to issue tickets for more than 10 hours.

In addition to the realm setting, the client and server entries in the
KDC database can also have a max_life value.  Using "getprinc" in
kadmin, look at the "Maximum ticket life" on the user principal and on
krbtgt/ALFA.IT.  Are either of them ten hours?  If so, you can change
them with "modprinc -maxlife".

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

max_life problem

2016-08-01 Thread Александр Баранин 
Hello!

I use mit kerberos, version krb5-1.14.2, compiled from source.
And I can't to force kdc to issue tickets for more than 10 hours.

This is part of my krb5.conf:

[libdefaults]
default_realm = ALFA.IT
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_canonicalize_hostname = false
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
ticket_lifetime = 1d 0h 0m 0s
renew_lifetime = 14d 1h 0m 0s

This is part of my kdc.conf:

[realms]
ALFA.IT = {
database_module = LDAP
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 1d 0h 0m 0s
max_renewable_life = 14d 1h 0m 0s

Here are my tests:

root@debian:/etc/krb5kdc# kinit -l "9h"
Password for r...@alfa.it:
root@debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: r...@alfa.it

Valid starting   Expires  Service principal
08/01/2016 11:19:12  08/01/2016 20:19:12  krbtgt/alfa...@alfa.it
renew until 08/08/2016 11:19:12

Ticket is ok and is for 9 hours.

root@debian:/etc/krb5kdc# kdestroy

Trying to get a ticket for 12 hours.

root@debian:/etc/krb5kdc# kinit -l "12h"
Password for r...@alfa.it:

root@debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: r...@alfa.it

Valid starting   Expires  Service principal
08/01/2016 11:19:39  08/01/2016 21:19:39  krbtgt/alfa...@alfa.it
renew until 08/08/2016 11:19:39

Now we see what ticket issued by kdc is for 10 hours only.

root@debian:/etc/krb5kdc# kdestroy

Now trying to get ticket for 1 day:

root@debian:/etc/krb5kdc# kinit -l "1d"
Password for r...@alfa.it:
root@debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: r...@alfa.it

Valid starting   Expires  Service principal
08/01/2016 11:19:53  08/01/2016 21:19:53  krbtgt/alfa...@alfa.it
renew until 08/08/2016 11:19:53

Ticket obtained is for 10 hours too.

I used different to set time in different units (24h,1440m, etc) in kdc and
client libraries configs, but result was the same - I can get TGT for 10
hours only.

What's wrong?
Is it kerberos bug or bug in configuration?
Please, help!

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos