On Mon, 2004-10-25 at 13:35, Phil Dibowitz wrote: > On Mon, Oct 25, 2004 at 01:28:32PM -0700, Eric Andresen wrote: > > > > Try adding this small patch to your krb5 distribution -- it enables > > kinit to look up default values for lifetime, renew lifetime, and > > forwardable from the kinit and libdefaults sections. > > I'm happy to try a patch -- but if I understand the above (which I interpret > as "adds support to kinit for reading libdefaults attributes from krb5.com"), > if that was the problem, wouldn't "kinit -r 7d" work? Since that fails to > work, I'm not understanding why adding this support would solve the problem > (although it's a useful feature, and a good patch to have...). > > Am I missing something? > > That probably sounds a lot like biting the hand that feeds me -- and I'm > really trying not to -- I just want to fully understand. > > Thanks for everyone's help.
First, I'd like to mention I was mistaken when I said the 'libdefaults' section, I meant 'appdefaults', such as: [appdefaults] ticket_lifetime = 30days renew_lifetime = 180days or alternatively, within a 'kinit' subgroup. That said, I'm not quite sure why renewals are not working for you with your current settings; I believe that it may have to do with your default principal flags. The default for default_principal_flags is for postdateable, forwardable, tgt-based, renewable, proxiable, dup-skey, allow-tickets, and service to be enabled, and all others to be disabled. You may wish to play with toggling some of the values that differ from your user-defined value for these and see if it helps at all. A quick glance at the kadm5 code shows that the user supplied doesn't get combined with the defaults, just overrides them entirely, so this might be of interest to you. HTH, -- Eric Andresen Systems Administrator Mars Space Flight Facility Arizona State University [EMAIL PROTECTED] (480) 727-8471 ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
