Skip Menu |
 

Date: Fri, 20 Aug 2010 20:00:06 +0400
Subject: problem with renewing ticket. valid starting date eq renew until
From: áÎÔÏÎ <fr.butch@gmail.com>
To: krb5-bugs@MIT.EDU
Download (untitled) / with headers
text/plain 2.2KiB
i have krb5 kdc server with ldap backend.
when i try to renew tiket i get:
$ kinit -R
kinit(v5): Ticket expired while renewing credentials

$ kinit -r 7d -l 2d
Password for f_anton@DOMAIN.MY: 
$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1013_s1kvrE
Default principal: f_anton@DOMAIN.MY

Valid starting     Expires            Service principal
08/20/10 19:54:27  08/21/10 19:54:27  krbtgt/DOMAIN.MY@DOMAIN.MY
renew until 08/20/10 19:54:27, Flags: RI

Valid starting = renew until.


in kadmin.local:
kadmin.local:  getprinc f_anton
[..]
Maximum ticket life: 2 days 00:00:00
Maximum renewable life: 28 days 00:00:00
[..]
Attributes:
Policy: default
kadmin.local:  getpol default
Policy: default
Maximum password life: 157766400
Minimum password life: 86400
Minimum password length: 6
Minimum number of password character classes: 2
Number of old keys kept: 3
Reference count: 2


==========
kdc.conf:

[realms]
DOMAIN.MY = {
  master_key_type = des-cbc-crc
  supported_enctypes = rc4-hmac:normal des-cbc-crc:normal des3-cbc-raw:normal des3-cbc-sha1:normal des-cbc-crc:afs3
  max_renewable_life = 7d 0h 0m 0s
  max_life = 2d 0h 0m 0s
  default_principal_flags = +renewable
  krbMaxTicketLife = 172800 
  krbMaxRenewableAge = 604800
}

==========
krb5.conf:

[libdefaults]
default_realm = DOMAIN.MY
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 2d
renew_lifetime = 7d

[dbdefaults]
ldap_kerberos_container_dn = "cn=kerberos,ou=kdcroot,dc=domain,dc=my"

[dbmodules]
domain.my = {
    db_library = kldap
    ldap_kdc_dn = cn=kdc,ou=kdcroot,dc=domain,dc=my
    ldap_kadmind_dn = cn=kadmin,ou=kdcroot,dc=domain,dc=my
    ldap_service_password_file = /var/lib/kerberos/krb5kdc/domain.my.ldapkey
    ldap_servers = ldap://localhost/
    ldap_conns_per_server = 15
}

[realms]
DOMAIN.MY = {
    database_module = domain.my
    admin_server = server6.domain.my
    default_domain = domain.my
    kdc = server7.domain.my
    kdc = server6.domain.my
    krbMaxTicketLife = 172800             
    krbMaxRenewableAge = 604800    
}
=============

# rpm -qa '*krb*'
libkrb5-1.6.3-alt9
libkrb5-devel-1.6.3-alt9
krb5-ticket-watcher-1.0.2-alt3
krb5-kinit-1.6.3-alt9
krb5-kadmin-1.6.3-alt9
krb5-server-1.6.3-alt9
krb5-services-1.6.3-alt9
krb5-kdc-1.6.3-alt9
libkrb5-ldap-1.6.3-alt9
pam_krb5-3.13-alt1

Date: Mon, 23 Aug 2010 10:56:06 +0400
Subject: Re: [krbdev.mit.edu #6759] problem with renewing ticket. valid starting date eq renew until
From: áÎÔÏÎ <fr.butch@gmail.com>
To: rt@krbdev.mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 2.7KiB
well. i just fixed this.
i found that K/M and krbtgt principals haveб═
krbMaxRenewableAge = 0
after
kadmin.local: modprinc -maxrenewlife "1 week" K/M
kadmin.local: modprinc -maxrenewlife "1 week" rkbtgt@DOMAIN.MY
tickets have 1 week renewing period.




2010/8/20 krb5 <rt@krbdev.mit.edu>
Show quoted text
i have krb5 kdc server with ldap backend.
when i try to renew tiket i get:
$ kinit -R
kinit(v5): Ticket expired while renewing credentials

$ kinit -r 7d -l 2d
Password for f_anton@DOMAIN.MY:
$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1013_s1kvrE
Default principal: f_anton@DOMAIN.MY

Valid starting б═ б═ Expires б═ б═ б═ б═ б═ б═Service principal
*08/20/10 19:54:27* б═08/21/10 19:54:27 б═krbtgt/DOMAIN.MY@DOMAIN.MY
renew until *08/20/10 19:54:27*, Flags: RI

Valid starting = renew until.


in kadmin.local:
kadmin.local: б═getprinc f_anton
[..]
Maximum ticket life: 2 days 00:00:00
Maximum renewable life: 28 days 00:00:00
[..]
Attributes:
Policy: default
kadmin.local: б═getpol default
Policy: default
Maximum password life: 157766400
Minimum password life: 86400
Minimum password length: 6
Minimum number of password character classes: 2
Number of old keys kept: 3
Reference count: 2


==========
kdc.conf:

[realms]
DOMAIN.MY = {
б═master_key_type = des-cbc-crc
б═supported_enctypes = rc4-hmac:normal des-cbc-crc:normal
des3-cbc-raw:normal des3-cbc-sha1:normal des-cbc-crc:afs3
б═max_renewable_life = 7d 0h 0m 0s
б═max_life = 2d 0h 0m 0s
б═default_principal_flags = +renewable
б═krbMaxTicketLife = 172800
б═krbMaxRenewableAge = 604800
}

==========
krb5.conf:

[libdefaults]
default_realm = DOMAIN.MY
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 2d
renew_lifetime = 7d

[dbdefaults]
ldap_kerberos_container_dn = "cn=kerberos,ou=kdcroot,dc=domain,dc=my"

[dbmodules]
domain.my = {
б═ б═db_library = kldap
б═ б═ldap_kdc_dn = cn=kdc,ou=kdcroot,dc=domain,dc=my
б═ б═ldap_kadmind_dn = cn=kadmin,ou=kdcroot,dc=domain,dc=my
б═ б═ldap_service_password_file = /var/lib/kerberos/krb5kdc/domain.my.ldapkey
б═ б═ldap_servers = ldap://localhost/
б═ б═ldap_conns_per_server = 15
}

[realms]
DOMAIN.MY = {
б═ б═database_module = domain.my
б═ б═admin_server = server6.domain.my
б═ б═default_domain = domain.my
б═ б═kdc = server7.domain.my
б═ б═kdc = server6.domain.my
б═ б═krbMaxTicketLife = 172800
б═ б═krbMaxRenewableAge = 604800
}
=============

# rpm -qa '*krb*'
libkrb5-1.6.3-alt9
libkrb5-devel-1.6.3-alt9
krb5-ticket-watcher-1.0.2-alt3
krb5-kinit-1.6.3-alt9
krb5-kadmin-1.6.3-alt9
krb5-server-1.6.3-alt9
krb5-services-1.6.3-alt9
krb5-kdc-1.6.3-alt9
libkrb5-ldap-1.6.3-alt9
pam_krb5-3.13-alt1




--
п║ я┐п╡п╟п╤п╣п╫п╦п╣п╪, п░п╫я┌п╬п╫.