Summary: | MIT Kerberos ebuilds don't seem to honor max_life or max_renewable_life in kdc.conf | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Troy Telford <mquezn8wfq> |
Component: | New packages | Assignee: | Gentoo Kerberos Maintainers <kerberos> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | harley |
Priority: | High | ||
Version: | 2008.0 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Troy Telford
2008-12-04 17:49:33 UTC
(In reply to comment #0) > Forum message detailing the bug (will cover it here as well, of course) > http://forums.gentoo.org/viewtopic-t-716885.html > > I've got a functioning Kerberos KDC - I'm able to get keys, login with > kerberized rsh/ssh/telnet, mount kerberized NFS mounts, etc. Forwardable > tickets work fine. I have two slave KDC's, also running Gentoo Linux on AMD64, > and replication and serving of tickets works equally well from the slave KDC's > as from the Master. > > All three systems are running app-crypt/mit-krb5-1.6.3-r4. > > However, it seems that no matter what I do, a client can always ask for a > ticket whose lifetime is 24 hours. Additionally, the ability to renew tickets > expires the second they are created. > > The Kerberos documentation seems to indicate that, in /etc/kdc.conf, the item > "max_life" should dictate the maximum lifetime of a ticket that the KDC will > offer. > > In a similar vein, the item "max_renewable_life" allows an admin to set the > maximum length of time a ticket may be renewed. > > My /etc/kdc.conf is short enough I'll include it in the description: > > [kdcdefaults] > kdc_ports = 750,88 > > [realms] > FOO.BAR.COM = { > database_name = /var/lib/krb5kdc/principal > admin_keytab = /var/lib/krb5kdc/kadm5.keytab > acl_file = /var/lib/krb5kdc/kadm5.acl > key_stash_file = /var/lib/krb5kdc/.k5.FOO.BAR.COM > kdc_ports = 750,88 > max_life = 10h 0m 0s > max_renewable_life = 7d 0h 0m 0s > } > > I'd like to note that when I copied this configuration file to a Debian system > (and made the appropriate adjustments to the file paths), it works as expected; > ticket lifetimes are limited by max_life and max_renewable_life. > > But on Gentoo, it doesn't work as expected. Tickets are good for up to 24 > hours - the client can request a shorter period. However, the KDC server > should be able to limit the ticket length's maximum life. It doesn't - I can > set the server to have a max_life of 30 seconds and it'll give out tickets good > for 24 hours. (I am restarting the KDC after making changes, of course.) > > And again, on Gentoo - they can't be renewed for the length of time specified > in /etc/kdc.conf. Instead, renewal expires the second it's created - case in > point: > > klist > Ticket cache: FILE:/tmp/krb5cc_46669 > Default principal: troyt@FOO.BAR.COM > > Valid starting Expires Service principal > 12/04/08 10:38:01 12/05/08 10:38:01 krbtgt/FOO.BAR.COM@FOO.BAR.COM > renew until 12/04/08 10:38:01 > > Note that it's good for 24 hours (instead of the current setting for max_life - > 10h), and that the renewal expires the moment it was created. > Heath Caldwell (hncaldwell) Is the developer taking care of Kerberos. I cannot reproduce this with mit-krb5-1.8.2. Please reopen if you disagree. |