LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   MIT Kerberos ticket life problem (https://www.linuxquestions.org/questions/linux-software-2/mit-kerberos-ticket-life-problem-4175585983/)

avbaranin 08-01-2016 03:52 AM
MIT Kerberos ticket life problem
 
Hello, all!

I use mit kerberos, version 1.14.2, compiled from source.
And I can't to force kdc to issue tickets for more than 10 hours.

This is part of my krb5.conf:

[libdefaults]
default_realm = ALFA.IT
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_canonicalize_hostname = false
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
ticket_lifetime = 1d 0h 0m 0s
renew_lifetime = 14d 1h 0m 0s

This is part of my kdc.conf:

[realms]
ALFA.IT = {
database_module = LDAP
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 1d 0h 0m 0s
max_renewable_life = 14d 1h 0m 0s

Here are my tests:

root@debian:/etc/krb5kdc# kinit -l "9h"
Password for root@ALFA.IT:
root@debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@ALFA.IT

Valid starting Expires Service principal
08/01/2016 11:19:12 08/01/2016 20:19:12 krbtgt/ALFA.IT@ALFA.IT
renew until 08/08/2016 11:19:12

Ticket is ok and is for 9 hours.

root@debian:/etc/krb5kdc# kdestroy

Trying to get a ticket for 12 hours.

root@debian:/etc/krb5kdc# kinit -l "12h"
Password for root@ALFA.IT:

root@debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@ALFA.IT

Valid starting Expires Service principal
08/01/2016 11:19:39 08/01/2016 21:19:39 krbtgt/ALFA.IT@ALFA.IT
renew until 08/08/2016 11:19:39

Now we see what ticket issued by kdc is for 10 hours only.

root@debian:/etc/krb5kdc# kdestroy

Now trying to get ticket for 1 day:

root@debian:/etc/krb5kdc# kinit -l "1d"
Password for root@ALFA.IT:
root@debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@ALFA.IT

Valid starting Expires Service principal
08/01/2016 11:19:53 08/01/2016 21:19:53 krbtgt/ALFA.IT@ALFA.IT
renew until 08/08/2016 11:19:53

Ticket obtained is for 10 hours too.

I used different to set time in different units (24h,1440m, etc) in kdc and client libraries configs, but result was the same - I can get TGT for 10 hours only.

Note, what renew time is ignored by kdc too.

What's wrong?
Is it kerberos bug or bug in configuration?
Please, help!

avbaranin 08-01-2016 08:12 AM
Solved.

I have LDAP backend. And as I found out there are limits on database level which have more power than limits on config level. When limits on database level was corrected in ldap backend, then all start working right.
Limits in database go from config at database creation.
I don't know is it true for another types of backends but it's true for LDAP backend.


All times are GMT -5. The time now is 04:48 PM.