Description of problem: Cannot get kerberos ticket issed for longer then 1 day. Version-Release number of selected component (if applicable): krb5-server-1.3.4-27 How reproducible: Always Steps to Reproduce: 1.kinit to get krb5 ticket 2. klist shows ticket is only good for 1 day 3. Actual results: kinit only issues tickets for 1 day Expected results: kinit should get a ticket for the maximum allowable lifetime configured on the server and requested by the client. Additional info: This is a similar issue as Bug 152152 fpr RHEL-3. The problem is that the kdc5krb server is not reading the kdc.conf file and honoring the max_life and max_renewable_life variable settings in the kdc.conf file. If these are valid settings they should be used instead of the internal default of 1 day. kdc.conf settings: [realms] CSX.UNC.EDU = { max_life = 604800 max_renewable_life = 1209600 This sets max_life to 7 days and max_renwable_life to 14 days. If you create the principal with the same expiration times and also the "krbtgt/CSX.UNC.EDU.EDU" principal you should be able to get tickets for 7 days renewable for 14 days. I compiled Kerberos 1.4.3 from MIT and just dropped in the krb5kdc executable with the same config file and principal database and it works. So the problem is in the krb5kdc server. If Kerberos 1.4 is compatible with Red Hat's 1.3 release it would be nice to get this as an rpm update. Thanks.
Should have said: Steps to Reproduce: 1). kinit -l 7d or anything greater then 1. You should get a ticket up to 7 days but the max you can get is 1 day.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
The parser for delta times in 1.4.3 is more forgiving, but the problem here is that in 1.3.4, a number like "604800" isn't recognized as a time interval. Either appending "s" to indicate that it's a count of seconds, or switching to a representation such as "7d" would work around that.
Yes this fixed! Thank you. You can close this bug. [realms] CSX.UNC.EDU = { max_life = 604800s max_renewable_life = 1209600s or [realms] CSX.UNC.EDU = { max_life = 7d max_renewable_life = 14d fixed the problem. Thanks Nalin!
Although this bugzilla was approved for RHEL 4.5, we were unable to resolve it in time to be included in the release. Therefore it is now proposed for RHEL 4.6.
Backported the change which makes the parser more forgiving because it's pretty trivial.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2007-0788.html