152152 – Max Lifetime of TGT limited to 1 day

Bug 152152 - Max Lifetime of TGT limited to 1 day

Summary: Max Lifetime of TGT limited to 1 day

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	krb5
Sub Component:
Version:	3.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-03-25 12:15 UTC by Ulrich Seidl
Modified:	2007-11-30 22:07 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-10-19 19:05:48 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Patch for KRB5_KDB_MAX_RLIFE Bug (526 bytes, patch) 2005-03-26 08:35 UTC, Ulrich Seidl	no flags	Details \| Diff
Increase the compile time setting of the max (renew) lifetime to 31 days. (666 bytes, patch) 2005-03-26 08:37 UTC, Ulrich Seidl	no flags	Details \| Diff
View All

Description Ulrich Seidl 2005-03-25 12:15:33 UTC

Description of problem:
Can not retrieve tgt that have a maxlifetime / maxrenewlifetime > 1 day.

Version-Release number of selected component (if applicable):
krb5 1.2.7-38

How reproducible:
Always. I have set the maxlifetime / maxrenewlifetime of all principles to 30
days with kadmin / modprinc and checked the settings with kadmin / getprinc.
(Even did this for K/M@... krbtgt/...@...). Additionally entered "max_life =
30days" in /var/kerberos/krb5kdc/kdc.conf and "ticket_lifetime = 30days"
"renew_lifetime = 30days" in /etc/krb5.conf within the libdefaults section.

 
Steps to Reproduce:
1. kinit -l 7days -r 7days <USER>
2. klist -f
3. 
  
Actual results:
Get a Ticket that is valid for 1 day, with max renewable time 1 day.

Expected results:
Get a Ticket valid for 7 days.

Additional info:
output of "klist -f":

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <USER>@...

Valid starting     Expires            Service principal
03/25/05 12:58:45  03/26/05 12:58:45  krbtgt/...@...
        renew until 03/26/05 12:58:45, Flags: FRI

krb5kdc.log contains:
... krb5kdc[30355](info): AS_REQ (5 etypes {16 23 1 3 2}) <HOSTIP>(88): ISSUE:
authtime 1111752748, etypes {rep=16 tkt=16 ses=16}, <USER>@... for krbtgt/...@...

This Bug may be fixed in 1.4 Version of MIT Kerberos 5. See the following two
ressources for details:

http://krbdev.mit.edu/rt/Ticket/Display.html?id=2656
http://krbdev.mit.edu/rt/Ticket/Display.html?id=2537

Comment 1 Ulrich Seidl 2005-03-26 08:35:46 UTC

Created attachment 112357 [details]
Patch for KRB5_KDB_MAX_RLIFE Bug

Instead KRB5_KDB_MAX_RLIFE, KRB5_KDB_MAX_LIFE was used in krb5kdc when
determining the max renew lifetime.

Comment 2 Ulrich Seidl 2005-03-26 08:37:54 UTC

Created attachment 112358 [details]
Increase the compile time setting of the max (renew) lifetime to 31 days.

Comment 5 Ulrich Seidl 2005-07-25 11:14:30 UTC

What about the changes to get this included soon?

Comment 6 Ulrich Seidl 2005-08-14 20:25:29 UTC

Still no answer?

Comment 7 RHEL Program Management 2007-10-19 19:05:48 UTC

This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.