LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-01-2016, 03:52 AM   #1
avbaranin
LQ Newbie
 
Registered: Aug 2016
Posts: 2

Rep: Reputation: Disabled
MIT Kerberos ticket life problem


Hello, all!

I use mit kerberos, version 1.14.2, compiled from source.
And I can't to force kdc to issue tickets for more than 10 hours.

This is part of my krb5.conf:

[libdefaults]
default_realm = ALFA.IT
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
dns_canonicalize_hostname = false
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
ticket_lifetime = 1d 0h 0m 0s
renew_lifetime = 14d 1h 0m 0s

This is part of my kdc.conf:

[realms]
ALFA.IT = {
database_module = LDAP
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 1d 0h 0m 0s
max_renewable_life = 14d 1h 0m 0s

Here are my tests:

root@debian:/etc/krb5kdc# kinit -l "9h"
Password for root@ALFA.IT:
root@debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@ALFA.IT

Valid starting Expires Service principal
08/01/2016 11:19:12 08/01/2016 20:19:12 krbtgt/ALFA.IT@ALFA.IT
renew until 08/08/2016 11:19:12

Ticket is ok and is for 9 hours.

root@debian:/etc/krb5kdc# kdestroy

Trying to get a ticket for 12 hours.

root@debian:/etc/krb5kdc# kinit -l "12h"
Password for root@ALFA.IT:

root@debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@ALFA.IT

Valid starting Expires Service principal
08/01/2016 11:19:39 08/01/2016 21:19:39 krbtgt/ALFA.IT@ALFA.IT
renew until 08/08/2016 11:19:39

Now we see what ticket issued by kdc is for 10 hours only.

root@debian:/etc/krb5kdc# kdestroy

Now trying to get ticket for 1 day:

root@debian:/etc/krb5kdc# kinit -l "1d"
Password for root@ALFA.IT:
root@debian:/etc/krb5kdc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: root@ALFA.IT

Valid starting Expires Service principal
08/01/2016 11:19:53 08/01/2016 21:19:53 krbtgt/ALFA.IT@ALFA.IT
renew until 08/08/2016 11:19:53

Ticket obtained is for 10 hours too.

I used different to set time in different units (24h,1440m, etc) in kdc and client libraries configs, but result was the same - I can get TGT for 10 hours only.

Note, what renew time is ignored by kdc too.

What's wrong?
Is it kerberos bug or bug in configuration?
Please, help!
 
Old 08-01-2016, 08:12 AM   #2
avbaranin
LQ Newbie
 
Registered: Aug 2016
Posts: 2

Original Poster
Rep: Reputation: Disabled
Solved.

I have LDAP backend. And as I found out there are limits on database level which have more power than limits on config level. When limits on database level was corrected in ldap backend, then all start working right.
Limits in database go from config at database creation.
I don't know is it true for another types of backends but it's true for LDAP backend.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem for get ticket from kerberos aspenbr Linux - Networking 1 08-11-2009 10:44 AM
Problem in get ticket with Kerberos aspenbr Linux - Software 0 08-11-2009 04:24 AM
Samba Kerberos Ticket sindri Linux - Software 0 11-24-2004 01:10 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration