| Summary: | Cannot request renewable tickets | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Orion Poplawski <orion> |
| Component: | krb5 | Assignee: | Nalin Dahyabhai <nalin> |
| Status: | CLOSED WORKSFORME | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 5.6 | CC: | dpal, jplans, prc |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-05-12 17:35:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
What are the maximum renewable lifetimes set on orion.COM and krbtgt/CORA.NWRA.COM.COM? Is either of those 0? Ah, I did not realize that the principals themselves had that attribute. They were both 0. Changing both to 7 days allows it to work:
[orion@orca orion]$ kinit -r 5d
Password for orion.COM:
[orion@orca orion]$ klist
Ticket cache: FILE:/tmp/krb5cc_1744
Default principal: orion.COM
Valid starting Expires Service principal
05/12/11 11:23:26 05/13/11 11:23:23 krbtgt/CORA.NWRA.COM.COM
renew until 05/17/11 11:23:23
[orion@orca orion]$ kinit -R
[orion@orca orion]$ klist
Ticket cache: FILE:/tmp/krb5cc_1744
Default principal: orion.COM
Valid starting Expires Service principal
05/12/11 11:23:34 05/13/11 11:23:31 krbtgt/CORA.NWRA.COM.COM
renew until 05/17/11 11:23:23
Is there any way to get new principals to automatically have the maxrenewlife set, or do I need to do that manually when adding?
Thanks!
The default is set from the KDC's setting for the max_renewable_life. My guess is it was set in your configuration file after the entries in question were created. Anyhow, marking this one works-for-me. It doesn't appear to be picking up that default when creating new principals. It does when I try it. If you're using kadmin remotely, was kadmind restarted since the configuration was last modified? Ah, that was it. I had restarted the kdc but not kadmind. |
Description of problem: [realms] CORA.NWRA.COM = { #master_key_type = des3-hmac-sha1 acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3 default_principal_flags = +renewable max_renewable_life = 7d 0h 0m 0s } [orion@earth ~]$ kinit -V -r 2d Password for orion.COM: Authenticated to Kerberos v5 [orion@earth ~]$ klist Ticket cache: FILE:/tmp/krb5cc_1744_VWTZS20309 Default principal: orion.COM Valid starting Expires Service principal 05/12/11 09:51:04 05/13/11 09:51:04 krbtgt/CORA.NWRA.COM.COM renew until 05/12/11 09:51:04 Kerberos 4 ticket cache: /tmp/tkt1744 klist: You have no tickets cached [orion@earth ~]$ kinit -R kinit(v5): Ticket expired while renewing credentials Version-Release number of selected component (if applicable): krb5-server-1.6.1-55.el5_6.1