sure, but ignore the config files and give kinit a lifetime switch
On Thu, 12 Jul 2007, Jeff Blaine wrote:
This is MIT Kerberos as shipped with RHELv4.
ticket_lifetime = 2d in [libdefaults] of krb5.conf
buys
me nothing. ticket_lifetime is not a documented
option
for [libdefaults] according to the official MIT
docs.
ticket_lifetime=2d as an option to pam_krb5RA.so
buys
me nothing.
Jul 12 17:24:06 rcf-kerbtest-linux sshd:
(pam_krb5): none: pam_sm_authenticate: entry (0x1)
Jul 12 17:24:06 rcf-kerbtest-linux sshd:
(pam_krb5): jblaine: attempting authentication as
[EMAIL PROTECTED]
Jul 12 17:24:10 rcf-kerbtest-linux sshd:
(pam_krb5): jblaine: pam_sm_authenticate: exit
(success)
Jul 12 17:24:10 rcf-kerbtest-linux sshd[4367]:
Accepted keyboard-interactive/pam for jblaine from
::ffff:129.83.10.14 port 60577 ssh2
Jul 12 17:24:10 rcf-kerbtest-linux
sshd(pam_unix)[4370]: session opened for user
jblaine by (uid=0)
Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]:
(pam_krb5): none: pam_sm_setcred: entry (0x2)
Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]:
(pam_krb5): none: no context found, creating one
Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]:
(pam_krb5): jblaine: found initial ticket cache at
/tmp/krb5cc_pam_MB3OqY
Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]:
(pam_krb5): jblaine: initializing ticket cache
FILE:/tmp/krb5cc_26560_HBBo23
Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]:
(pam_krb5): jblaine: pam_sm_setcred: exit
(success)
Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]:
(pam_afs_session): pam_sm_open_session: entry
(0x0)
Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]:
(pam_afs_session): running /usr/afsws/bin/aklog as
UID 26560
Jul 12 17:24:11 rcf-kerbtest-linux sshd[4370]:
(pam_afs_session): pam_sm_open_session: exit
(success)
Jul 12 17:24:11 rcf-kerbtest-linux sshd[4370]:
(pam_krb5): jblaine: pam_sm_setcred: entry (0x8)
Jul 12 17:24:11 rcf-kerbtest-linux sshd[4370]:
(pam_krb5): jblaine: pam_sm_setcred: exit
(success)
~:rcf-kerbtest-linux> /usr/kerberos/bin/klist
Ticket cache: FILE:/tmp/krb5cc_26560_zdQIVJ
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service
principal
07/12/07 17:25:36 07/13/07 17:25:36
krbtgt/[EMAIL PROTECTED]
renew until 07/12/07 17:25:36
07/12/07 17:25:36 07/13/07 17:25:36
[EMAIL PROTECTED]
renew until 07/12/07 17:25:36
Kerberos 4 ticket cache: /tmp/tkt26560
klist: You have no tickets cached
~:rcf-kerbtest-linux> tokens
Tokens held by the Cache Manager:
User's (AFS ID 26560) tokens for [EMAIL PROTECTED]
[Expires Jul 13 17:25]
--End of list--
~:rcf-kerbtest-linux>
Derrick J Brashear wrote:
kinit -l7d ?
On Thu, 12 Jul 2007, Jeff Blaine wrote:
I spoke way too soon.
One of them was off.
They're all three set to "2 days" now as a test
and I still only
get tickets and tokens for 24hrs.
Jeffrey Altman wrote:
Jeff Blaine wrote:
I'm using OpenAFS 1.4.3, pam_afs_session, and
pam_krb5 from
Russ Alberry. Can anyone shed light on why
my tickets and
tokens have only a 24hr lifetime?
kadmin.local: getprinc jblaine
Principal: [EMAIL PROTECTED]
Expiration date: [never]
Last password change: Mon Apr 23 14:50:16 EDT
2007
Password expiration date: [none]
Maximum ticket life: 7 days 00:00:00
Maximum renewable life: 0 days 00:00:00
Last modified: Tue May 01 14:32:01 EDT 2007
(root/[EMAIL PROTECTED])
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, Triple DES cbc mode with
HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
kadmin.local:
What are the maximum ticket lifetimes for your
krbtgt/[EMAIL PROTECTED] and
afs[/[EMAIL PROTECTED]@MITRE.ORG
principals?
The maximum lifetime is the minimum of the
user, tgt and service principals.
Jeffrey Altman
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
