Harald Barth wrote: > > > What should I specify in krb5.conf to always obtain renewable tickets? > > It might be missing from the man page, but I think it is > > [libdefaults] > renewable = true >
Indeed, after the first "kinit -R" the ticket looses it renewable property. It is a desired/expected behaviour? Please see the output below: Script started on Sun Jun 26 10:22:42 2016 You have mail. [sudakov@vas ~] klist klist: No ticket file: /tmp/krb5cc_1001 [sudakov@vas ~] kinit suda...@sibptus.ru's Password: [sudakov@vas ~] klist -v Credentials cache: FILE:/tmp/krb5cc_1001 Principal: suda...@sibptus.ru Cache version: 4 Server: krbtgt/sibptus...@sibptus.ru Client: suda...@sibptus.ru Ticket etype: aes256-cts-hmac-sha1-96, kvno 1 Ticket length: 433 Auth time: Jun 26 10:22:49 2016 End time: Jul 3 10:22:49 2016 Renew till: Jul 3 10:22:49 2016 Ticket flags: pre-authent, initial, renewable, forwardable Addresses: IPv4:78.140.19.131, IPv4:192.168.4.1, IPv4:192.168.3.1, IPv6:2001:470:35:7af::2, IPv4:192.168.1.1 [sudakov@vas ~] kinit -R [sudakov@vas ~] kinit -R kinit: krb5_get_kdc_cred: KDC can't fulfill requested option [sudakov@vas ~] klist -v Credentials cache: FILE:/tmp/krb5cc_1001 Principal: suda...@sibptus.ru Cache version: 4 Server: krbtgt/sibptus...@sibptus.ru Client: suda...@sibptus.ru Ticket etype: aes256-cts-hmac-sha1-96, kvno 1 Ticket length: 433 Auth time: Jun 26 10:22:49 2016 Start time: Jun 26 10:22:54 2016 End time: Jul 3 10:22:49 2016 Ticket flags: transited-policy-checked, pre-authent, forwardable Addresses: IPv4:78.140.19.131, IPv4:192.168.4.1, IPv4:192.168.3.1, IPv6:2001:470:35:7af::2, IPv4:192.168.1.1 [sudakov@vas ~] exit Script done on Sun Jun 26 10:23:00 2016 -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru