Re: kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

2016-07-07 Thread Victor Sudakov 
Jeffrey Altman wrote:
> > Heimdal 1.1.0 on KDC.
> 
> This version dates to January 2008.  There have been many bugs fixed in
> the 8 years that have passed including the failure to renew tickets bug
> which was fixed in 2012.

If I install 1.5.3 from the FreeBSD ports collection and run the kdc
from there, would it improve the situation?


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:suda...@sibptus.tomsk.ru

Re: kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

2016-07-07 Thread Jeffrey Altman 
On 6/12/2016 6:04 AM, Victor Sudakov wrote:
> Heimdal 1.1.0 on KDC.

This version dates to January 2008.  There have been many bugs fixed in
the 8 years that have passed including the failure to renew tickets bug
which was fixed in 2012.

Jeffrey Altman




smime.p7s
Description: S/MIME Cryptographic Signature

Re: kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

2016-07-04 Thread Victor Sudakov 
Harald Barth wrote:
> > Indeed, after the first "kinit -R" the ticket looses it renewable
> > property. It is a desired/expected behaviour? 
> 
> Looks like a bug to me.

Is it really a bug or some misconfiguration on my part? Here is the
*complete* config on the client:

[libdefaults]
default_realm = SIBPTUS.RU
forwardable = yes
ticket_lifetime = 7d
renew_lifetime = 7d
no-addresses = false
renewable = true


[domain_realm]
.tomsk.su = SIBPTUS.RU
.tomsk.ru = SIBPTUS.RU
.sibptus.ru = SIBPTUS.RU



-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:suda...@sibptus.tomsk.ru

Re: kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

2016-06-25 Thread Harald Barth 
> Indeed, after the first "kinit -R" the ticket looses it renewable
> property. It is a desired/expected behaviour? 

Looks like a bug to me.

Harald.

Re: kinit: krb5_get_kdc_cred: KDC can't fulfill requested option

2016-06-25 Thread Victor Sudakov 
Harald Barth wrote:
> 
> > What should I specify in krb5.conf to always obtain renewable tickets? 
> 
> It might be missing from the man page, but I think it is
> 
> [libdefaults]
>   renewable = true
> 

Indeed, after the first "kinit -R" the ticket looses it renewable
property. It is a desired/expected behaviour? Please see the output
below:


Script started on Sun Jun 26 10:22:42 2016
You have mail.
[sudakov@vas ~] klist
klist: No ticket file: /tmp/krb5cc_1001
[sudakov@vas ~] kinit
suda...@sibptus.ru's Password:
[sudakov@vas ~] klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: suda...@sibptus.ru
Cache version: 4

Server: krbtgt/sibptus...@sibptus.ru
Client: suda...@sibptus.ru
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 433
Auth time:  Jun 26 10:22:49 2016
End time:   Jul  3 10:22:49 2016
Renew till: Jul  3 10:22:49 2016
Ticket flags: pre-authent, initial, renewable, forwardable
Addresses: IPv4:78.140.19.131, IPv4:192.168.4.1, IPv4:192.168.3.1, 
IPv6:2001:470:35:7af::2, IPv4:192.168.1.1

[sudakov@vas ~] kinit -R
[sudakov@vas ~] kinit -R
kinit: krb5_get_kdc_cred: KDC can't fulfill requested option
[sudakov@vas ~] klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: suda...@sibptus.ru
Cache version: 4

Server: krbtgt/sibptus...@sibptus.ru
Client: suda...@sibptus.ru
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 433
Auth time:  Jun 26 10:22:49 2016
Start time: Jun 26 10:22:54 2016
End time:   Jul  3 10:22:49 2016
Ticket flags: transited-policy-checked, pre-authent, forwardable
Addresses: IPv4:78.140.19.131, IPv4:192.168.4.1, IPv4:192.168.3.1, 
IPv6:2001:470:35:7af::2, IPv4:192.168.1.1

[sudakov@vas ~] exit

Script done on Sun Jun 26 10:23:00 2016

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:suda...@sibptus.tomsk.ru