Package: krb5-kdc
Version: 1.4.4-7etch5
Severity: important
Regardless of principal settings, and /etc/krb5kdc/kdc.conf
configuration, maximum ticket life is not granted beyond 10 hours time.
Maximum renewable life is always the time the ticket was issued.
This prevents users from renewing their tickets (kinit -R).
I have another KDC, and another realm, running krb5-kdc 1.4.4-7etch5 on
i386 which does not have this problem.
A bit more interesting is that in early testing I was not able to get a
maximum ticket life beyond 9 hours. Any attempt to get a ticket with a
longer life would give me tickets that expired at exactly their time of
issuance. I was not able to reproduce this particular symptom during
later testing, which makes me a bit nervous as the behavior seems a bit
erratic.
Included is some information about the principal and a couple attempts
at getting tickets issued with different life/renewal settings.
kadmin.local: getprinc someuser
Principal: [EMAIL PROTECTED]
Expiration date: [never]
Last password change: Fri May 02 02:26:17 PDT 2008
Password expiration date: Wed Oct 29 02:26:17 PDT 2008
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 2 days 00:00:00
Last modified: Fri May 02 02:54:27 PDT 2008 (someuser/[EMAIL PROTECTED])
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
Key: vno 2, DES cbc mode with RSA-MD5, Version 4
Key: vno 2, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno 2, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno 2, DES cbc mode with RSA-MD5, AFS version 3
Attributes: REQUIRES_PRE_AUTH
Policy: default
[EMAIL PROTECTED]:~$ kinit
Password for [EMAIL PROTECTED]:
[EMAIL PROTECTED]:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1039
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
05/02/08 02:51:39 05/02/08 12:51:39 krbtgt/[EMAIL PROTECTED]
renew until 05/02/08 02:51:39
Kerberos 4 ticket cache: /tmp/tkt1039
klist: You have no tickets cached
[EMAIL PROTECTED]:~$ kinit -R
kinit(v5): Ticket expired while renewing credentials
[EMAIL PROTECTED]:~$
[EMAIL PROTECTED]:~$ kinit -l 9h -r 9h
Password for [EMAIL PROTECTED]:
[EMAIL PROTECTED]:~$ klist
Ticket cache: FILE:/tmp/krb5cc_1039
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
05/02/08 02:52:36 05/02/08 11:52:33 krbtgt/[EMAIL PROTECTED]
renew until 05/02/08 02:52:36
Kerberos 4 ticket cache: /tmp/tkt1039
klist: You have no tickets cached
[EMAIL PROTECTED]:~$ kinit -R
kinit(v5): Ticket expired while renewing credentials
[EMAIL PROTECTED]:~$ kinit -l 14h -r 24h
Password for [EMAIL PROTECTED]:
[EMAIL PROTECTED]:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1039
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
05/02/08 02:57:12 05/02/08 12:57:12 krbtgt/[EMAIL PROTECTED]
renew until 05/02/08 02:57:12, Flags: FPRIA
Kerberos 4 ticket cache: /tmp/tkt1039
klist: You have no tickets cached
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-5-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages krb5-kdc depends on:
ii deb 1.5.11etch1 Debian configuration management sy
ii krb 1.4.4-7etch5 Basic programs to authenticate usi
ii lib 2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii lib 1.4.4-7etch5 MIT Kerberos administration runtim
ii lib 1.4.4-7etch5 MIT Kerberos runtime libraries
ii lsb 3.1-23.2etch1 Linux Standard Base 3.1 init scrip
ii net 4.29 Basic TCP/IP networking system
krb5-kdc recommends no packages.
-- debconf information:
krb5-kdc/debconf: true
krb5-kdc/krb4-mode: none
krb5-kdc/run-krb524: true
krb5-kdc/purge_data_too: false
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
