Re: max_life problem
Yes, you are right. But In my case I used compilation from source code. But at the moment of realm creation the limit 10h was in my kdc.conf. So this limit was copied to principal krbtgt. 2016-08-02 22:56 GMT+03:00 Benjamin Kaduk: > On Mon, 1 Aug 2016, Greg Hudson wrote: > > > On 08/01/2016 04:29 AM, Александр Баранин wrote: > > > I use mit kerberos, version krb5-1.14.2, compiled from source. > > > And I can't to force kdc to issue tickets for more than 10 hours. > > > > In addition to the realm setting, the client and server entries in the > > KDC database can also have a max_life value. Using "getprinc" in > > kadmin, look at the "Maximum ticket life" on the user principal and on > > krbtgt/ALFA.IT. Are either of them ten hours? If so, you can change > > them with "modprinc -maxlife". > > (It looks like this is on a Debian system, so I'll note that the debian > krb5-kdc package will create a kdc.conf that has max_life 10 hours on > first installation. So, principals created when such a kdc.conf was in > place would be affected by it.) > > -Ben Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: max_life problem
On Mon, 1 Aug 2016, Greg Hudson wrote: > On 08/01/2016 04:29 AM, Александр Баранин wrote: > > I use mit kerberos, version krb5-1.14.2, compiled from source. > > And I can't to force kdc to issue tickets for more than 10 hours. > > In addition to the realm setting, the client and server entries in the > KDC database can also have a max_life value. Using "getprinc" in > kadmin, look at the "Maximum ticket life" on the user principal and on > krbtgt/ALFA.IT. Are either of them ten hours? If so, you can change > them with "modprinc -maxlife". (It looks like this is on a Debian system, so I'll note that the debian krb5-kdc package will create a kdc.conf that has max_life 10 hours on first installation. So, principals created when such a kdc.conf was in place would be affected by it.) -Ben Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: max_life problem
On 08/01/2016 04:29 AM, Александр Баранин wrote: > I use mit kerberos, version krb5-1.14.2, compiled from source. > And I can't to force kdc to issue tickets for more than 10 hours. In addition to the realm setting, the client and server entries in the KDC database can also have a max_life value. Using "getprinc" in kadmin, look at the "Maximum ticket life" on the user principal and on krbtgt/ALFA.IT. Are either of them ten hours? If so, you can change them with "modprinc -maxlife". Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
max_life problem
Hello! I use mit kerberos, version krb5-1.14.2, compiled from source. And I can't to force kdc to issue tickets for more than 10 hours. This is part of my krb5.conf: [libdefaults] default_realm = ALFA.IT # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true dns_canonicalize_hostname = false default_ccache_name = FILE:/tmp/krb5cc_%{uid} ticket_lifetime = 1d 0h 0m 0s renew_lifetime = 14d 1h 0m 0s This is part of my kdc.conf: [realms] ALFA.IT = { database_module = LDAP acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 1d 0h 0m 0s max_renewable_life = 14d 1h 0m 0s Here are my tests: root@debian:/etc/krb5kdc# kinit -l "9h" Password for r...@alfa.it: root@debian:/etc/krb5kdc# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: r...@alfa.it Valid starting Expires Service principal 08/01/2016 11:19:12 08/01/2016 20:19:12 krbtgt/alfa...@alfa.it renew until 08/08/2016 11:19:12 Ticket is ok and is for 9 hours. root@debian:/etc/krb5kdc# kdestroy Trying to get a ticket for 12 hours. root@debian:/etc/krb5kdc# kinit -l "12h" Password for r...@alfa.it: root@debian:/etc/krb5kdc# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: r...@alfa.it Valid starting Expires Service principal 08/01/2016 11:19:39 08/01/2016 21:19:39 krbtgt/alfa...@alfa.it renew until 08/08/2016 11:19:39 Now we see what ticket issued by kdc is for 10 hours only. root@debian:/etc/krb5kdc# kdestroy Now trying to get ticket for 1 day: root@debian:/etc/krb5kdc# kinit -l "1d" Password for r...@alfa.it: root@debian:/etc/krb5kdc# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: r...@alfa.it Valid starting Expires Service principal 08/01/2016 11:19:53 08/01/2016 21:19:53 krbtgt/alfa...@alfa.it renew until 08/08/2016 11:19:53 Ticket obtained is for 10 hours too. I used different to set time in different units (24h,1440m, etc) in kdc and client libraries configs, but result was the same - I can get TGT for 10 hours only. What's wrong? Is it kerberos bug or bug in configuration? Please, help! Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos