How to configure renewable tickets in Kerberos?
Issue
It does not seem possible to configure renewable tickets in MIT Kerberos.
The following options are set in /var/kerberos/krb5kdc/kdc.conf for 10 days renewable ticket.
[realms]
TEST.COM = {
master_key_type = des3-hmac-sha1
max_renewable_life = 10d 0h 0m 0s
default_principal_flags = +postdateable, +forwardable, +tgt-based, +renewable, +proxiable, +dup-skey, +allow-tickets, +service, +preauth
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
getprinc shows the correct value. (Maximum renewable life 10 days)
kadmin.local: getprinc user1
Principal: user1@TEST.COM
Expiration date: [never]
Last password change: Wed Dec 16 14:32:34 CET 2009
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 10 days 00:00:00
Last modified: Wed Dec 16 14:32:34 CET 2009 (root/admin@TEST.COM)
But after getting a ticket with kinit command klist does not show the correct value.
# date
Wed Dec 16 14:58:18 CET 2009# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: r.van.leeuwen@TEST.COMValid starting Expires Service principal
12/16/09 14:57:56 12/17/09 00:57:54 krbtgt/TEST.COM@TEST.COM
renew until 12/16/09 14:57:56
Environment
Red Hat Enterprise Linux 5.4
krb5-server-1.6.1-36.el5
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.