Hi,
I hope I'm at the right place here for my issue.
This is the case:
On my macbook (Mac OS X 10.11), I have a renewable Kerberos-ticket:
---
macbook013:~ vm$ klist -v
Credentials cache: API:EF9959E6-85DF-446F-9B21-3CEEC606FA2D
Principal: v...@realm.com
Cache version: 0
Server: krbtgt/realm....@realm.com
Client: v...@realm.com
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 342
Auth time: Oct 26 13:55:09 2016
End time: Nov 25 12:55:05 2016
Renew till: Jan 26 12:55:05 2017
Ticket flags: enc-pa-rep, pre-authent, initial, renewable, proxiable,
forwardable
Addresses: addressless
---
If I do a ssh (GSSAPIAuthentication yes,GSSAPIDelegateCredentials yes)
to a linux-server, the ticket there is not renewable anymore:
---
macbook013:~ vm$ ssh linuxserver2
linuxserver2 ~ # klist -f
Ticket cache: FILE:/tmp/krb5cc_1379_BZVstF6000
Default principal: v...@realm.com
Valid starting Expires Service principal
10/26/16 14:00:30 11/25/16 12:55:05 krbtgt/realm....@realm.com
Flags: FfPAT
linuxserver2 ~ # krenew
krenew: error renewing credentials: KDC can't fulfill requested option
linuxserver2 ~ # kinit -R
kinit: KDC can't fulfill requested option while renewing credentials
---
If I do a kinit on linuxserver1 and get a renewable ticket there and ssh
to linuxserver2, the forwarded ticket stays renewable.
I guess it has something to do with the ssh-client on Mac OS X? (but
copying the ssh_config from linuxserver1 to the macbook does not solve
it. Copying the krb5.conf doesn't solve it either)
Or should I search the cause in another direction?
Maybe I'm missing something obvious.
Thank you for thinking with me!
VM
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
