Chris Cowan via FreeIPA-users wrote: >> I tried various approached to get Renewable tickets : >> modifying the kdc >> modifying krb5.conf >> using kadmin.local on every replica to modify the principal; which is not >> working - as designed (?)- in IPA >> >> What should I do to get a ticket with the correct R flag from IPA ? >> I don't think this is SSSD related (the service needing the renewable >> ticket this way is Apache Storm) >> >> Thanks a lot! > > I'm curious if you ever got an answer or solved this problem? I have users > that will need Kerberos tickets for long running batch jobs. > > I found this post from 2012, and am wondering if it is still accurate. > Reading through these archives to see if there are any recent changes/updates.
Rather than digging up an 11-year old thread, what is it you want to do? There isn't a lot of context from your original post. kinit -r 24 will get you a 24-hour renewable ticket. The maximum time is defined by the ticket policy, ipa krbtpolicy-show There are other ways to avoid expiring tickets but knowing what it is you're trying to do would help. rob > > >> Simo Sorce simo at redhat.com >> Fri May 18 15:27:57 UTC 2012 >> >> Previous message (by thread): [Freeipa-users] howto modify krb principal >> attributes without kadmin.local >> Next message (by thread): [Freeipa-users] Problems replicating with >> Windows 2008 AD >> Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] >> >> On Wed, 2012-05-16 at 15:08 -0700, Thomas Jackson wrote: >>> >>> >>> On Tue, May 15, 2012 at 3:24 PM, Simo Sorce <simo at redhat.com> wrote: >>> On Tue, 2012-05-15 at 14:21 -0700, Thomas Jackson wrote: >>> > So going through the documentation it's clearly laid out not >>> to use >>> > kadmin or kadmin.local when using freeipa. I have been >>> unable to find >>> > how to replace this functionality in the documentation. >>> > >>> > If I could use kadmin.local on my kdc I would like to run >>> the >>> > following command.... >>> > >>> > modprinc +requires_hwauth user >>> > >>> > Am I going to need to extend/modify the krb5 schema to >>> modify >>> > principals attributes in this way? >>> > >>> >>> For this specific change you can use kadmin.local, but the IPA >>> UI will >>> not report you anything about it. >>> >>> The flags part is still a weak point of the Web UI, if you >>> want you can >>> open a RFE ticket to ask for better support for these flags, >>> we need to >>> do it at some point we simply haven't yet as we concentrated >>> on more >>> important and pressing issue this far. >>> >>> Simo. >>> >>> -- >>> Simo Sorce * Red Hat, Inc * New York >>> >>> >>> The following errors lead me to believe I am missing something as >>> kadmin.local appears to have access issues when trying to modify a >>> principle. >>> >>> kadmin.local: modprinc +requires_hwauth user >>> modify_principal: User modification failed: Insufficient access while >>> modifying "user". >>> >>> For good measure I've modified /var/kerberos/krb5kdc/kadm5. >>> acl with the correct ACLs for the domain and still encounter the same >>> errors. >>> >>> -ipa 2.1.3 >> >> Ok I took a second look at how to make it simple. >> >> First of all I misremembered about the fact these flags were saved in >> the krbExtraData field. They are not, there is a specific attribute for >> all ticket flags that is called krbTicketFlags. >> >> This attribute is normally not set on entries, as the defaults for the >> realm are used, however the requires_hwauth flag is not a default and >> you want to enable it only for user principals, not all principals on >> the server. >> >> That can be easily done by adding the krbTicketFlags attribute. >> However in order to do this properly you need to calculate what value to >> set based on this (partial) table: >> >> KRB5_KDB_DISALLOW_POSTDATED 0x00000001 >> KRB5_KDB_DISALLOW_FORWARDABLE 0x00000002 >> KRB5_KDB_DISALLOW_TGT_BASED 0x00000004 >> KRB5_KDB_DISALLOW_RENEWABLE 0x00000008 >> KRB5_KDB_DISALLOW_PROXIABLE 0x00000010 >> KRB5_KDB_DISALLOW_DUP_SKEY 0x00000020 >> KRB5_KDB_DISALLOW_ALL_TIX 0x00000040 >> KRB5_KDB_REQUIRES_PRE_AUTH 0x00000080 >> KRB5_KDB_REQUIRES_HW_AUTH 0x00000100 >> KRB5_KDB_REQUIRES_PWCHANGE 0x00000200 >> >> The default flag for IPA user is KRB5_KDB_REQUIRES_PRE_AUTH, so in order >> to properly set the flag you need to combine it with the flag you want >> that is KRB5_KDB_REQUIRES_HW_AUTH. >> >> So 0x0100 + 0x0080 = 0x0180 >> >> In decimal 0x0180 becomes 384 >> >> So you need to change the entry to set krbTicketFlags to 384 >> >> Now, normally I would tell you to do that using the following command: >> ipa user-mod <username> --setattr=krbticketflags=384 >> >> However, we do restrict even admin from touching that attribute, so you >> have 2 options: >> >> 1. change the default ACI to allow admin to edit that attribute. >> 2. do an ldapmodify operation instead using the Directory Manager >> credentials. >> >> Simo. >> >> -- >> Simo Sorce * Red Hat, Inc * New York >> >> > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
