Description of problem: Can not retrieve tgt that have a maxlifetime / maxrenewlifetime > 1 day. Version-Release number of selected component (if applicable): krb5 1.2.7-38 How reproducible: Always. I have set the maxlifetime / maxrenewlifetime of all principles to 30 days with kadmin / modprinc and checked the settings with kadmin / getprinc. (Even did this for K/M@... krbtgt/...@...). Additionally entered "max_life = 30days" in /var/kerberos/krb5kdc/kdc.conf and "ticket_lifetime = 30days" "renew_lifetime = 30days" in /etc/krb5.conf within the libdefaults section. Steps to Reproduce: 1. kinit -l 7days -r 7days <USER> 2. klist -f 3. Actual results: Get a Ticket that is valid for 1 day, with max renewable time 1 day. Expected results: Get a Ticket valid for 7 days. Additional info: output of "klist -f": Ticket cache: FILE:/tmp/krb5cc_0 Default principal: <USER>@... Valid starting Expires Service principal 03/25/05 12:58:45 03/26/05 12:58:45 krbtgt/...@... renew until 03/26/05 12:58:45, Flags: FRI krb5kdc.log contains: ... krb5kdc[30355](info): AS_REQ (5 etypes {16 23 1 3 2}) <HOSTIP>(88): ISSUE: authtime 1111752748, etypes {rep=16 tkt=16 ses=16}, <USER>@... for krbtgt/...@... This Bug may be fixed in 1.4 Version of MIT Kerberos 5. See the following two ressources for details: http://krbdev.mit.edu/rt/Ticket/Display.html?id=2656 http://krbdev.mit.edu/rt/Ticket/Display.html?id=2537
Created attachment 112357 [details] Patch for KRB5_KDB_MAX_RLIFE Bug Instead KRB5_KDB_MAX_RLIFE, KRB5_KDB_MAX_LIFE was used in krb5kdc when determining the max renew lifetime.
Created attachment 112358 [details] Increase the compile time setting of the max (renew) lifetime to 31 days.
What about the changes to get this included soon?
Still no answer?
This bug is filed against RHEL 3, which is in maintenance phase. During the maintenance phase, only security errata and select mission critical bug fixes will be released for enterprise products. Since this bug does not meet that criteria, it is now being closed. For more information of the RHEL errata support policy, please visit: http://www.redhat.com/security/updates/errata/ If you feel this bug is indeed mission critical, please contact your support representative. You may be asked to provide detailed information on how this bug is affecting you.