Date: | Fri, 20 Aug 2010 20:00:06 +0400 |
Subject: | problem with renewing ticket. valid starting date eq renew until |
From: | áÎÔÏÎ <fr.butch@gmail.com> |
To: | krb5-bugs@MIT.EDU |
i have krb5 kdc server with ldap backend.
when i try to renew tiket i get:
$ kinit -R
kinit(v5): Ticket expired while renewing credentials
$ kinit -r 7d -l 2d
Password for f_anton@DOMAIN.MY:Â
$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1013_s1kvrE
Default principal: f_anton@DOMAIN.MY
Valid starting   Expires       Service principal
08/20/10 19:54:27 Â 08/21/10 19:54:27 Â krbtgt/DOMAIN.MY@DOMAIN.MY
renew until 08/20/10 19:54:27, Flags: RI
Valid starting = renew until.
in kadmin.local:
kadmin.local: Â getprinc f_anton
[..]
Maximum ticket life: 2 days 00:00:00
Maximum renewable life: 28 days 00:00:00
[..]
Attributes:
Policy: default
kadmin.local: Â getpol default
Policy: default
Maximum password life: 157766400
Minimum password life: 86400
Minimum password length: 6
Minimum number of password character classes: 2
Number of old keys kept: 3
Reference count: 2
==========
kdc.conf:
[realms]
DOMAIN.MY = {
  master_key_type = des-cbc-crc
  supported_enctypes = rc4-hmac:normal des-cbc-crc:normal des3-cbc-raw:normal des3-cbc-sha1:normal des-cbc-crc:afs3
  max_renewable_life = 7d 0h 0m 0s
  max_life = 2d 0h 0m 0s
  default_principal_flags = +renewable
  krbMaxTicketLife = 172800Â
  krbMaxRenewableAge = 604800
}
==========
krb5.conf:
[libdefaults]
default_realm = DOMAIN.MY
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 2d
renew_lifetime = 7d
[dbdefaults]
ldap_kerberos_container_dn = "cn=kerberos,ou=kdcroot,dc=domain,dc=my"
[dbmodules]
domain.my = {
   db_library = kldap
   ldap_kdc_dn = cn=kdc,ou=kdcroot,dc=domain,dc=my
   ldap_kadmind_dn = cn=kadmin,ou=kdcroot,dc=domain,dc=my
   ldap_service_password_file = /var/lib/kerberos/krb5kdc/domain.my.ldapkey
   ldap_servers = ldap://localhost/
   ldap_conns_per_server = 15
}
[realms]
DOMAIN.MY = {
   database_module = domain.my
   admin_server = server6.domain.my
   default_domain = domain.my
   kdc = server7.domain.my
   kdc = server6.domain.my
   krbMaxTicketLife = 172800       Â
   krbMaxRenewableAge = 604800  Â
}
=============
# rpm -qa '*krb*'
libkrb5-1.6.3-alt9
libkrb5-devel-1.6.3-alt9
krb5-ticket-watcher-1.0.2-alt3
krb5-kinit-1.6.3-alt9
krb5-kadmin-1.6.3-alt9
krb5-server-1.6.3-alt9
krb5-services-1.6.3-alt9
krb5-kdc-1.6.3-alt9
libkrb5-ldap-1.6.3-alt9
pam_krb5-3.13-alt1