subject:"Expired service ticket"

Re: Expired service ticket

2016-07-21 Thread Victor Sudakov

Diogenes S. Jesus wrote:
> Check on with:
> klist -Afe

Looks like "-e" is an unknown option.

> 
> And check what flags your TGT have - AFAIK it must have "renewable" flag.
> 
> http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5/doc/krb5-user/Kerberos-Ticket-Properties.htm

Yes, the TGT has the "renewable" flag, the expired service tickets
don't, and they are stuck. Please see below:

$ klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: suda...@sibptus.ru

  IssuedExpires   Principal
Jul 19 20:05:26 2016  Jul 26 20:05:25 2016  krbtgt/sibptus...@sibptus.ru
Jul 20 19:17:11 2016  >>>Expired<<< host/noc.sibptus...@sibptus.ru
Jul 20 19:17:11 2016  >>>Expired<<< host/noc.sibptus...@sibptus.ru
Jul 20 19:17:11 2016  >>>Expired<<< host/noc.sibptus...@sibptus.ru

$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: suda...@sibptus.ru
Cache version: 4

Server: krbtgt/sibptus...@sibptus.ru
Client: suda...@sibptus.ru
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 433
Auth time:  Jul 19 20:05:26 2016
End time:   Jul 26 20:05:25 2016
Renew till: Jul 26 20:05:26 2016
Ticket flags: pre-authent, initial, renewable, forwardable
Addresses: IPv4:78.140.19.131, IPv4:192.168.4.1, IPv4:192.168.3.1, 
IPv6:2001:470:35:7af::2, IPv4:192.168.1.1

Server: host/noc.sibptus...@sibptus.ru
Client: suda...@sibptus.ru
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 435
Auth time:  Jul 19 20:05:26 2016
Start time: Jul 20 19:17:11 2016
End time:   Jul 21 19:17:11 2016 (expired)
Ticket flags: transited-policy-checked, pre-authent
Addresses: IPv4:78.140.19.131, IPv4:192.168.4.1, IPv4:192.168.3.1, 
IPv6:2001:470:35:7af::2, IPv4:192.168.1.1

Server: host/noc.sibptus...@sibptus.ru
Client: suda...@sibptus.ru
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 435
Auth time:  Jul 19 20:05:26 2016
Start time: Jul 20 19:17:11 2016
End time:   Jul 21 19:17:11 2016 (expired)
Ticket flags: transited-policy-checked, pre-authent
Addresses: IPv4:78.140.19.131, IPv4:192.168.4.1, IPv4:192.168.3.1, 
IPv6:2001:470:35:7af::2, IPv4:192.168.1.1

Server: host/noc.sibptus...@sibptus.ru
Client: suda...@sibptus.ru
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 435
Auth time:  Jul 19 20:05:26 2016
Start time: Jul 20 19:17:11 2016
End time:   Jul 21 19:17:11 2016 (expired)
Ticket flags: transited-policy-checked, pre-authent
Addresses: IPv4:78.140.19.131, IPv4:192.168.4.1, IPv4:192.168.3.1, 
IPv6:2001:470:35:7af::2, IPv4:192.168.1.1


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:suda...@sibptus.tomsk.ru

Expired service ticket

2016-07-19 Thread Victor Sudakov

Colleagues,

If I have an expired service ticket and a still valid TGT, shouldn't I
expect the expired service ticket to be re-issued? Yet, it's not
happening:

[sudakov@vas ~] klist
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: suda...@sibptus.ru

  IssuedExpires   Principal
Jul 16 13:03:46 2016  Jul 21 19:48:36 2016  krbtgt/sibptus...@sibptus.ru
Jul 16 13:03:49 2016  >>>Expired<<< host/noc.sibptus...@sibptus.ru
Jul 16 13:03:49 2016  >>>Expired<<< host/noc.sibptus...@sibptus.ru
Jul 16 13:03:49 2016  >>>Expired<<< host/noc.sibptus...@sibptus.ru
Jul 16 13:03:49 2016  >>>Expired<<< host/noc.sibptus...@sibptus.ru
Jul 16 13:03:49 2016  >>>Expired<<< host/noc.sibptus...@sibptus.ru
[sudakov@vas ~] ssh noc
otp-md5 479 no1004 ext
Password: 

[sudakov@vas ~] 

What am I doing wrong?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:suda...@sibptus.tomsk.ru

Re: Expired service ticket

Expired service ticket

2 matches

Site Navigation

Mail list logo

Footer information