Bug 197522 - Kerberos maximum ticket lifetime is 1 day
Kerberos maximum ticket lifetime is 1 day
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: krb5 (Show other bugs)
4.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-03 11:59 EDT by John Sopko
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHEA-2007-0788
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-15 11:13:28 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Sopko 2006-07-03 11:59:21 EDT
Description of problem:
Cannot get kerberos ticket issed for longer then 1 day.

Version-Release number of selected component (if applicable):

krb5-server-1.3.4-27

How reproducible:
Always 


Steps to Reproduce:
1.kinit to get krb5 ticket
2. klist shows ticket is only good for 1 day
3.
  
Actual results:
kinit only issues tickets for 1 day

Expected results:
kinit should get a ticket for the maximum allowable
lifetime configured on the server and requested
by the client.

Additional info:

This is a similar issue as Bug 152152 fpr
RHEL-3.

The problem is that the
kdc5krb server is not reading the kdc.conf file
and honoring the max_life and max_renewable_life variable
settings in the kdc.conf file. If these are valid settings
they should be used instead of the internal default of
1 day.

kdc.conf settings:

[realms]
 CSX.UNC.EDU = {
  max_life = 604800
  max_renewable_life = 1209600

This sets max_life to 7 days and max_renwable_life to 14 days.
If you create the principal with the same expiration times and also
the "krbtgt/CSX.UNC.EDU@CSX.UNC.EDU" principal you should
be able to get tickets for 7 days renewable for 14 days.

I compiled Kerberos 1.4.3 from MIT and just dropped in the
krb5kdc executable with the same config file and principal
database and it works. So the problem is in the krb5kdc
server.

If Kerberos 1.4 is compatible with Red Hat's 1.3 release
it would be nice to get this as an rpm update. Thanks.
Comment 1 John Sopko 2006-07-12 10:04:02 EDT
Should have said:

Steps to Reproduce:
1). kinit -l 7d

or anything greater then 1. You should get a ticket up to
7 days but the max you can get is 1 day.
Comment 2 RHEL Product and Program Management 2006-08-18 11:16:15 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 6 Nalin Dahyabhai 2007-03-05 16:17:57 EST
The parser for delta times in 1.4.3 is more forgiving, but the problem here is
that in 1.3.4, a number like "604800" isn't recognized as a time interval. 
Either appending "s" to indicate that it's a count of seconds, or switching to a
representation such as "7d" would work around that.
Comment 7 John Sopko 2007-03-06 08:12:24 EST
Yes this fixed! Thank you. You can close this bug.

[realms]
 CSX.UNC.EDU = {
  max_life = 604800s
  max_renewable_life = 1209600s
 
or

[realms]
 CSX.UNC.EDU = {
  max_life = 7d
  max_renewable_life = 14d

fixed the problem. Thanks Nalin!
Comment 8 RHEL Product and Program Management 2007-04-17 17:12:55 EDT
Although this bugzilla was approved for RHEL 4.5, we were unable
to resolve it in time to be included in the release.  Therefore
it is now proposed for RHEL 4.6.
Comment 9 RHEL Product and Program Management 2007-05-09 06:06:21 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 10 Nalin Dahyabhai 2007-08-01 15:25:07 EDT
Backported the change which makes the parser more forgiving because it's pretty
trivial.
Comment 14 errata-xmlrpc 2007-11-15 11:13:28 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2007-0788.html

Note You need to log in before you can comment on or make changes to this bug.