Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: quoted-printable X-RT-Original-Encoding: koi8-r Content-Length: 2823 well. i just fixed this. i found that K/M and krbtgt principals have krbMaxRenewableAge = 0 after kadmin.local: modprinc -maxrenewlife "1 week" K/M kadmin.local: modprinc -maxrenewlife "1 week" rkbtgt@DOMAIN.MY tickets have 1 week renewing period. 2010/8/20 krb5 > > i have krb5 kdc server with ldap backend. > when i try to renew tiket i get: > $ kinit -R > kinit(v5): Ticket expired while renewing credentials > > $ kinit -r 7d -l 2d > Password for f_anton@DOMAIN.MY: > $ klist -f > Ticket cache: FILE:/tmp/krb5cc_1013_s1kvrE > Default principal: f_anton@DOMAIN.MY > > Valid starting Expires Service principal > *08/20/10 19:54:27* 08/21/10 19:54:27 krbtgt/DOMAIN.MY@DOMAIN.MY > renew until *08/20/10 19:54:27*, Flags: RI > > Valid starting = renew until. > > > in kadmin.local: > kadmin.local: getprinc f_anton > [..] > Maximum ticket life: 2 days 00:00:00 > Maximum renewable life: 28 days 00:00:00 > [..] > Attributes: > Policy: default > kadmin.local: getpol default > Policy: default > Maximum password life: 157766400 > Minimum password life: 86400 > Minimum password length: 6 > Minimum number of password character classes: 2 > Number of old keys kept: 3 > Reference count: 2 > > > ========== > kdc.conf: > > [realms] > DOMAIN.MY = { > master_key_type = des-cbc-crc > supported_enctypes = rc4-hmac:normal des-cbc-crc:normal > des3-cbc-raw:normal des3-cbc-sha1:normal des-cbc-crc:afs3 > max_renewable_life = 7d 0h 0m 0s > max_life = 2d 0h 0m 0s > default_principal_flags = +renewable > krbMaxTicketLife = 172800 > krbMaxRenewableAge = 604800 > } > > ========== > krb5.conf: > > [libdefaults] > default_realm = DOMAIN.MY > dns_lookup_realm = false > dns_lookup_kdc = false > ticket_lifetime = 2d > renew_lifetime = 7d > > [dbdefaults] > ldap_kerberos_container_dn = "cn=kerberos,ou=kdcroot,dc=domain,dc=my" > > [dbmodules] > domain.my = { > db_library = kldap > ldap_kdc_dn = cn=kdc,ou=kdcroot,dc=domain,dc=my > ldap_kadmind_dn = cn=kadmin,ou=kdcroot,dc=domain,dc=my > ldap_service_password_file = /var/lib/kerberos/krb5kdc/domain.my.ldapkey > ldap_servers = ldap://localhost/ > ldap_conns_per_server = 15 > } > > [realms] > DOMAIN.MY = { > database_module = domain.my > admin_server = server6.domain.my > default_domain = domain.my > kdc = server7.domain.my > kdc = server6.domain.my > krbMaxTicketLife = 172800 > krbMaxRenewableAge = 604800 > } > ============= > > # rpm -qa '*krb*' > libkrb5-1.6.3-alt9 > libkrb5-devel-1.6.3-alt9 > krb5-ticket-watcher-1.0.2-alt3 > krb5-kinit-1.6.3-alt9 > krb5-kadmin-1.6.3-alt9 > krb5-server-1.6.3-alt9 > krb5-services-1.6.3-alt9 > krb5-kdc-1.6.3-alt9 > libkrb5-ldap-1.6.3-alt9 > pam_krb5-3.13-alt1 > > -- С уважением, Антон.