Re: Default ticket lifetime
Ryan Underwood [EMAIL PROTECTED] writes: On Wed, Jun 29, 2005 at 10:04:40AM -0700, Russ Allbery wrote: All that code to support appdefault configuration in kinit is a local modification, which is also why default_lifetime was working for us locally but isn't working for you. Hmm, so are you saying that in 1.4 this doesn't exist either? If so, would it be a bad idea to merge it? There is a libdefaults setting that's supported in 1.4, just not an appdefaults setting. We locally added a ton of additional appdefaults settings for our site, but it's a bit entangled with other bits of code that probably aren't wanted upstream, particularly now that K4 support is being dropped (since that's what most of it was for). If I get a chance, I'll separate out just that part of the patch and then see if anyone's interested. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Default ticket lifetime
Ryan Underwood [EMAIL PROTECTED] writes: On Tue, Jun 28, 2005 at 09:36:42PM -0700, Russ Allbery wrote: Ryan Underwood [EMAIL PROTECTED] writes: From the Changelog, it looks like this was disabled sometime in 1996 and never revisited. But this is what I was referring to in my original post. Was this a bad idea for some reason? It looks more like an effort was made to add it, but never really finished. Anyway, that's libdefaults. Looking at the source of kinit for 1.4, it sure looks like my original message was *supposed* to be right: Woops; I'm using 1.3.6 from Debian. I guess that means this feature has been recently added? On debian sarge You could use heimdal-clients on Your workstations in the meantime (probably not on machines where You do kerberos administrative work). Kinit from heimdal evaluates the appdefaults section properly. Hth, Christian -- Dipl.-Ing. Christian Pfaffel-Janser [EMAIL PROTECTED] Technische Universität Graz Telefon: +43 / 316 / 873 - 81 90 Institut für Theoretische PhysikTelefax: +43 / 316 / 873 - 86 78 Petersgasse 16, A-8010 Graz http://itp.tugraz.at/~flash/pubkey.gpg Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Default ticket lifetime
Ryan Underwood [EMAIL PROTECTED] writes: On Tue, Jun 28, 2005 at 09:36:42PM -0700, Russ Allbery wrote: That would be default_lifetime in [appdefaults]. Are you sure that you have the time specification syntax right? Yeah, I just don't have the code you quoted in the 1.3.6 kinit.c - that may be the problem. :) *sigh*. Ignore all that stuff I told you. I keep forgetting how much we modified some aspects of the Kerberos code and keep forgetting to go look at a virgin source tree. Now I have one on hand and will hopefully remember All that code to support appdefault configuration in kinit is a local modification, which is also why default_lifetime was working for us locally but isn't working for you. I'm sorry about the confusion. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Default ticket lifetime
Ryan Underwood [EMAIL PROTECTED] writes: I'm trying to set a default ticket lifetime longer than the 10 hour default in /etc/krb5.conf (without hacking the source). It appears that at one point there was a tkt_lifetime option, but that it was later removed. Is there any way to do this in the current krb5 distribution or any plans to implement something similar? default_lifetime in the [appdefaults] section, I believe. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Default ticket lifetime
On Tue, Jun 28, 2005 at 08:04:16PM -0700, Russ Allbery wrote: Ryan Underwood [EMAIL PROTECTED] writes: I'm trying to set a default ticket lifetime longer than the 10 hour default in /etc/krb5.conf (without hacking the source). It appears that at one point there was a tkt_lifetime option, but that it was later removed. Is there any way to do this in the current krb5 distribution or any plans to implement something similar? default_lifetime in the [appdefaults] section, I believe. I've tried this in both the appdefaults and realms sections with no effect. Additionally, it does not turn up in a source grep. I should mention that I am able to obtain tickets of the correct length by using the '-l' option to kinit, so the KDC and principals are apparently configured correctly. -- Ryan Underwood, [EMAIL PROTECTED] Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Default ticket lifetime
Ryan Underwood [EMAIL PROTECTED] writes: I've tried this in both the appdefaults and realms sections with no effect. Additionally, it does not turn up in a source grep. I should mention that I am able to obtain tickets of the correct length by using the '-l' option to kinit, so the KDC and principals are apparently configured correctly. Ah, hm. #if 0 /* Default ticket lifetime is currently not supported */ profile_get_integer(ctx-profile, libdefaults, tkt_lifetime, 0, 10 * 60 * 60, tmp); ctx-tkt_lifetime = tmp; #endif (src/lib/krb5/krb/init_ctx.c). It looks like they might not have ever been really supported? -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Default ticket lifetime
On Tue, Jun 28, 2005 at 08:49:34PM -0700, Russ Allbery wrote: Ah, hm. #if 0 /* Default ticket lifetime is currently not supported */ profile_get_integer(ctx-profile, libdefaults, tkt_lifetime, 0, 10 * 60 * 60, tmp); ctx-tkt_lifetime = tmp; #endif (src/lib/krb5/krb/init_ctx.c). It looks like they might not have ever been really supported? From the Changelog, it looks like this was disabled sometime in 1996 and never revisited. But this is what I was referring to in my original post. Was this a bad idea for some reason? -- Ryan Underwood, [EMAIL PROTECTED] Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Default ticket lifetime
Ryan Underwood [EMAIL PROTECTED] writes: From the Changelog, it looks like this was disabled sometime in 1996 and never revisited. But this is what I was referring to in my original post. Was this a bad idea for some reason? It looks more like an effort was made to add it, but never really finished. Anyway, that's libdefaults. Looking at the source of kinit for 1.4, it sure looks like my original message was *supposed* to be right: #define KINIT_DEFAULT_LIFE default_lifetime [...] /* Lifetime */ default_list[KINIT_LIFETM_INDEX].option = KINIT_DEFAULT_LIFE ; default_list[KINIT_LIFETM_INDEX].default_value = 10hrs ; default_list[KINIT_LIFETM_INDEX].parse_function = krb5_string_to_deltat ; default_list[KINIT_LIFETM_INDEX].store =(void *) (opts-lifetime); [...] if ( k5-me != NULL ) { rcode = krb5_appdefault_read(k5-ctx,progname, krb5_princ_realm(k5-ctx,k5-me), default_list,KINIT_DEFAULT_COUNT); } else { rcode = krb5_appdefault_read(k5-ctx,progname, NULL, default_list,KINIT_DEFAULT_COUNT); } That would be default_lifetime in [appdefaults]. Are you sure that you have the time specification syntax right? -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Default ticket lifetime
On Tue, Jun 28, 2005 at 09:36:42PM -0700, Russ Allbery wrote: Ryan Underwood [EMAIL PROTECTED] writes: From the Changelog, it looks like this was disabled sometime in 1996 and never revisited. But this is what I was referring to in my original post. Was this a bad idea for some reason? It looks more like an effort was made to add it, but never really finished. Anyway, that's libdefaults. Looking at the source of kinit for 1.4, it sure looks like my original message was *supposed* to be right: Woops; I'm using 1.3.6 from Debian. I guess that means this feature has been recently added? That would be default_lifetime in [appdefaults]. Are you sure that you have the time specification syntax right? Yeah, I just don't have the code you quoted in the 1.3.6 kinit.c - that may be the problem. :) -- Ryan Underwood, [EMAIL PROTECTED] Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Default ticket lifetime
Ryan Underwood [EMAIL PROTECTED] writes: Woops; I'm using 1.3.6 from Debian. I guess that means this feature has been recently added? Yup, looks like all that code has been significantly redone in 1.4. I agree, I don't see anything in 1.3.6 that would let you change the default ticket lifetime in krb5.conf. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Default ticket lifetime
On Tue, Jun 28, 2005 at 09:51:47PM -0700, Russ Allbery wrote: Yup, looks like all that code has been significantly redone in 1.4. I agree, I don't see anything in 1.3.6 that would let you change the default ticket lifetime in krb5.conf. Is an upgrade of the package planned? I only see one pending new upstream release bug regarding krb5, against krb5-admin-server. -- Ryan Underwood, [EMAIL PROTECTED] Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Default ticket lifetime
Ryan Underwood [EMAIL PROTECTED] writes: On Tue, Jun 28, 2005 at 09:51:47PM -0700, Russ Allbery wrote: Yup, looks like all that code has been significantly redone in 1.4. I agree, I don't see anything in 1.3.6 that would let you change the default ticket lifetime in krb5.conf. Is an upgrade of the package planned? I only see one pending new upstream release bug regarding krb5, against krb5-admin-server. Sam is working on an upload to experimental but is very busy. I have a few other things on my plate as well, alas, but I hope it won't be too much longer before we can start testing 1.4.1. It's a fairly substantial change and now requires coordination with the NFSv4 folks, so it's worth proceeding cautiously. Unfortunately, that means I don't know what kind of time frame we're talking about for solving your particular problem. Before etch is released, certainly. -- Russ Allbery ([EMAIL PROTECTED]) http://www.eyrie.org/~eagle/ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Default ticket lifetime
On Tue, Jun 28, 2005 at 09:57:51PM -0700, Russ Allbery wrote: Sam is working on an upload to experimental but is very busy. I have a few other things on my plate as well, alas, but I hope it won't be too much longer before we can start testing 1.4.1. It's a fairly substantial change and now requires coordination with the NFSv4 folks, so it's worth proceeding cautiously. Unfortunately, that means I don't know what kind of time frame we're talking about for solving your particular problem. Before etch is released, certainly. It's no hurry. I've dealt with the status quo for a long time and just today had the itch to revisit this particular issue, armed with a few years of field experience with Kerberos and AFS. In any case, I'm glad to know that the gears are in motion, and I'll add myself to the notification list for the upload. Thanks! -- Ryan Underwood, [EMAIL PROTECTED] Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Default ticket lifetime
Lukas == Lukas Kubin [EMAIL PROTECTED] writes: Lukas What do I need to configure on Linux KDC to have longer Lukas default tickets (ie. the lifetime when I use kinit without Lukas parameters)? MIT's kinit uses a hard coded default lifetime. This is sort of unfortunate. Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Default ticket lifetime
That's really surprise. I wonder if there is any reason for such constraint. I have 2 more questions: 1. Don't you know then, if there is some parameter of pam_krb5 module config to force it to try to get a longer lifetime? (I mean equivalent of kinit -r somevalue -l somevalue) 2. By default I don't get renewable ticket, even if I should (the principle is allowed renewable). I only get it, when I specify it with parameter of kinit. Can I change this behaviour? Thank you. lukas Sam Hartman wrote: Lukas == Lukas Kubin [EMAIL PROTECTED] writes: Lukas What do I need to configure on Linux KDC to have longer Lukas default tickets (ie. the lifetime when I use kinit without Lukas parameters)? MIT's kinit uses a hard coded default lifetime. This is sort of unfortunate. -- Lukas Kubin phone: +420596398275 email: [EMAIL PROTECTED] Information centre The School of Business Administration in Karvina Silesian University in Opava Czech Republic http://www.opf.slu.cz smime.p7s Description: S/MIME Cryptographic Signature Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Default Ticket Lifetime
Moin, Dennis James [EMAIL PROTECTED] wrote: I am trying to set the default ticket lifetime but nothing works. The kinit command seems to ignore the -l option and sets the lifetime to 10 hours. Anyone have any ideas? MIT, Heimdal or Win? I assume, you want to increase the lifetime, don't you. For the MIT implementation, the maximum ticket lifetime is stored for every principal. Thus, you have to set the 'maxlife' parameter for any user and service principal via kadmin. The max_life option within the KDC config is only the default value if you create a new principal. Then it should be possible to obtain a ticket with a longer lifetime via 'kinit -l ...'. If no '-l ...' is given, the default lifetime, that kinit request, is hardcoded in the client code (look for '10*60*60'). hope this helps, Jens -- -BEGIN GEEK CODE BLOCK- Version: 3.1 GCS d- s-:-- a- C++(---) UL$ P@ L+++ E--- W(--) N++ o? K? w--- O M- !V PS+++ PE Y+ PGP+ t 5- X- R* tv-- b++ DI-- D G e h++ !r !y --END GEEK CODE BLOCK-- Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
Re: default ticket lifetime
Klaas Hagemann wrote: Jens Kleineheismann schrieb: Hi there, Hi Jens, there are tree points where the ticket lifetime is defined: 1. kdc.conf, you checked this 2. the principals, you checked this as well 3. the /etc/krb5.conf on the client side. There you can define a default ticket lifetime. In the section [libdefaults] you can set ticket_lifetime = ticket lifetime in seconds But it is hard coded in the MIT 1.2.6 get_in_tkt.c: 859 if (options (options-flags KRB5_GET_INIT_CREDS_OPT_TKT_LIFE)) 860 request.till += options-tkt_life; 861 else 862 request.till += 10*60*60; /* this used to be hardcoded in kinit.c */ so it looks like the [libdefaults] is not used. Anyway the lowest value always wins. Klaas Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert [EMAIL PROTECTED] Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos