Bug 704263 - Cannot request renewable tickets
Summary: Cannot request renewable tickets
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: krb5
Version: 5.6
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-12 15:57 UTC by Orion Poplawski
Modified: 2011-05-12 18:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-12 17:35:00 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Orion Poplawski 2011-05-12 15:57:32 UTC 
Description of problem:

[realms]
 CORA.NWRA.COM = {
  #master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
  default_principal_flags = +renewable
  max_renewable_life = 7d 0h 0m 0s
 }

[orion@earth ~]$ kinit -V -r 2d
Password for orion.COM: 
Authenticated to Kerberos v5
[orion@earth ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1744_VWTZS20309
Default principal: orion.COM

Valid starting     Expires            Service principal
05/12/11 09:51:04  05/13/11 09:51:04  krbtgt/CORA.NWRA.COM.COM
        renew until 05/12/11 09:51:04


Kerberos 4 ticket cache: /tmp/tkt1744
klist: You have no tickets cached
[orion@earth ~]$ kinit -R
kinit(v5): Ticket expired while renewing credentials

Version-Release number of selected component (if applicable):
krb5-server-1.6.1-55.el5_6.1
Comment 1 Nalin Dahyabhai 2011-05-12 16:58:03 UTC 
What are the maximum renewable lifetimes set on orion.COM and krbtgt/CORA.NWRA.COM.COM?  Is either of those 0?
Comment 2 Orion Poplawski 2011-05-12 17:25:33 UTC 
Ah, I did not realize that the principals themselves had that attribute.  They were both 0.  Changing both to 7 days allows it to work:

 [orion@orca orion]$ kinit -r 5d 
Password for orion.COM: 
[orion@orca orion]$ klist
Ticket cache: FILE:/tmp/krb5cc_1744
Default principal: orion.COM

Valid starting     Expires            Service principal
05/12/11 11:23:26  05/13/11 11:23:23  krbtgt/CORA.NWRA.COM.COM
        renew until 05/17/11 11:23:23
[orion@orca orion]$ kinit -R
[orion@orca orion]$ klist
Ticket cache: FILE:/tmp/krb5cc_1744
Default principal: orion.COM

Valid starting     Expires            Service principal
05/12/11 11:23:34  05/13/11 11:23:31  krbtgt/CORA.NWRA.COM.COM
        renew until 05/17/11 11:23:23


Is there any way to get new principals to automatically have the maxrenewlife set, or do I need to do that manually when adding?

Thanks!
Comment 3 Nalin Dahyabhai 2011-05-12 17:35:00 UTC 
The default is set from the KDC's setting for the max_renewable_life.  My guess is it was set in your configuration file after the entries in question were created.  Anyhow, marking this one works-for-me.
Comment 4 Orion Poplawski 2011-05-12 17:38:59 UTC 
It doesn't appear to be picking up that default when creating new principals.
Comment 5 Nalin Dahyabhai 2011-05-12 17:49:58 UTC 
It does when I try it.  If you're using kadmin remotely, was kadmind restarted since the configuration was last modified?
Comment 6 Orion Poplawski 2011-05-12 18:10:27 UTC 
Ah, that was it.  I had restarted the kdc but not kadmind.
Note You need to log in before you can comment on or make changes to this bug.