Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 152152 - Max Lifetime of TGT limited to 1 day
Max Lifetime of TGT limited to 1 day
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: krb5 (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2005-03-25 07:15 EST by Ulrich Seidl
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-10-19 15:05:48 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch for KRB5_KDB_MAX_RLIFE Bug (526 bytes, patch)
2005-03-26 03:35 EST, Ulrich Seidl
no flags Details | Diff
Increase the compile time setting of the max (renew) lifetime to 31 days. (666 bytes, patch)
2005-03-26 03:37 EST, Ulrich Seidl
no flags Details | Diff

  None (edit)
Description Ulrich Seidl 2005-03-25 07:15:33 EST
Description of problem:
Can not retrieve tgt that have a maxlifetime / maxrenewlifetime > 1 day.

Version-Release number of selected component (if applicable):
krb5 1.2.7-38

How reproducible:
Always. I have set the maxlifetime / maxrenewlifetime of all principles to 30
days with kadmin / modprinc and checked the settings with kadmin / getprinc.
(Even did this for K/M@... krbtgt/...@...). Additionally entered "max_life =
30days" in /var/kerberos/krb5kdc/kdc.conf and "ticket_lifetime = 30days"
"renew_lifetime = 30days" in /etc/krb5.conf within the libdefaults section.

Steps to Reproduce:
1. kinit -l 7days -r 7days <USER>
2. klist -f
Actual results:
Get a Ticket that is valid for 1 day, with max renewable time 1 day.

Expected results:
Get a Ticket valid for 7 days.

Additional info:
output of "klist -f":

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <USER>@...

Valid starting     Expires            Service principal
03/25/05 12:58:45  03/26/05 12:58:45  krbtgt/...@...
        renew until 03/26/05 12:58:45, Flags: FRI

krb5kdc.log contains:
... krb5kdc[30355](info): AS_REQ (5 etypes {16 23 1 3 2}) <HOSTIP>(88): ISSUE:
authtime 1111752748, etypes {rep=16 tkt=16 ses=16}, <USER>@... for krbtgt/...@...

This Bug may be fixed in 1.4 Version of MIT Kerberos 5. See the following two
ressources for details:

Comment 1 Ulrich Seidl 2005-03-26 03:35:46 EST
Created attachment 112357 [details]
Patch for KRB5_KDB_MAX_RLIFE Bug

Instead KRB5_KDB_MAX_RLIFE, KRB5_KDB_MAX_LIFE was used in krb5kdc when
determining the max renew lifetime.
Comment 2 Ulrich Seidl 2005-03-26 03:37:54 EST
Created attachment 112358 [details]
Increase the compile time setting of the max (renew) lifetime to 31 days.
Comment 5 Ulrich Seidl 2005-07-25 07:14:30 EDT
What about the changes to get this included soon?
Comment 6 Ulrich Seidl 2005-08-14 16:25:29 EDT
Still no answer?
Comment 7 RHEL Product and Program Management 2007-10-19 15:05:48 EDT
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.