Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 249826 - MIT Kerberos ebuilds don't seem to honor max_life or max_renewable_life in kdc.conf
Summary: MIT Kerberos ebuilds don't seem to honor max_life or max_renewable_life in kd...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Kerberos Maintainers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-12-04 17:49 UTC by Troy Telford
Modified: 2010-07-17 08:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Troy Telford 2008-12-04 17:49:33 UTC
Forum message detailing the bug (will cover it here as well, of course)
http://forums.gentoo.org/viewtopic-t-716885.html

I've got a functioning Kerberos KDC - I'm able to get keys, login with kerberized rsh/ssh/telnet, mount kerberized NFS mounts, etc.  Forwardable tickets work fine.  I have two slave KDC's, also running Gentoo Linux on AMD64, and replication and serving of tickets works equally well from the slave KDC's as from the Master.

All three systems are running app-crypt/mit-krb5-1.6.3-r4.

However, it seems that no matter what I do, a client can always ask for a ticket whose lifetime is 24 hours.  Additionally, the ability to renew tickets expires the second they are created.

The Kerberos documentation seems to indicate that, in /etc/kdc.conf, the item "max_life" should dictate the maximum lifetime of a ticket that the KDC will offer.

In a similar vein, the item "max_renewable_life" allows an admin to set the maximum length of time a ticket may be renewed.

My /etc/kdc.conf is short enough I'll include it in the description:

[kdcdefaults]
    kdc_ports = 750,88

[realms]
    FOO.BAR.COM = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = /var/lib/krb5kdc/kadm5.keytab
        acl_file = /var/lib/krb5kdc/kadm5.acl
        key_stash_file = /var/lib/krb5kdc/.k5.FOO.BAR.COM
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
    }

I'd like to note that when I copied this configuration file to a Debian system (and made the appropriate adjustments to the file paths), it works as expected; ticket lifetimes are limited by max_life and max_renewable_life.

But on Gentoo, it doesn't work as expected.  Tickets are good for up to 24 hours - the client can request a shorter period.  However, the KDC server should be able to limit the ticket length's maximum life.  It doesn't - I can set the server to have a max_life of 30 seconds and it'll give out tickets good for 24 hours.  (I am restarting the KDC after making changes, of course.)

And again, on Gentoo - they can't be renewed for the length of time specified in /etc/kdc.conf.  Instead, renewal expires the second it's created - case in point:

klist
Ticket cache: FILE:/tmp/krb5cc_46669
Default principal: troyt@FOO.BAR.COM

Valid starting     Expires            Service principal
12/04/08 10:38:01  12/05/08 10:38:01  krbtgt/FOO.BAR.COM@FOO.BAR.COM
        renew until 12/04/08 10:38:01

Note that it's good for 24 hours (instead of the current setting for max_life - 10h), and that the renewal expires the moment it was created.
Comment 1 David Abbott (RETIRED) gentoo-dev 2008-12-05 02:19:29 UTC
(In reply to comment #0)
> Forum message detailing the bug (will cover it here as well, of course)
> http://forums.gentoo.org/viewtopic-t-716885.html
> 
> I've got a functioning Kerberos KDC - I'm able to get keys, login with
> kerberized rsh/ssh/telnet, mount kerberized NFS mounts, etc.  Forwardable
> tickets work fine.  I have two slave KDC's, also running Gentoo Linux on AMD64,
> and replication and serving of tickets works equally well from the slave KDC's
> as from the Master.
> 
> All three systems are running app-crypt/mit-krb5-1.6.3-r4.
> 
> However, it seems that no matter what I do, a client can always ask for a
> ticket whose lifetime is 24 hours.  Additionally, the ability to renew tickets
> expires the second they are created.
> 
> The Kerberos documentation seems to indicate that, in /etc/kdc.conf, the item
> "max_life" should dictate the maximum lifetime of a ticket that the KDC will
> offer.
> 
> In a similar vein, the item "max_renewable_life" allows an admin to set the
> maximum length of time a ticket may be renewed.
> 
> My /etc/kdc.conf is short enough I'll include it in the description:
> 
> [kdcdefaults]
>     kdc_ports = 750,88
> 
> [realms]
>     FOO.BAR.COM = {
>         database_name = /var/lib/krb5kdc/principal
>         admin_keytab = /var/lib/krb5kdc/kadm5.keytab
>         acl_file = /var/lib/krb5kdc/kadm5.acl
>         key_stash_file = /var/lib/krb5kdc/.k5.FOO.BAR.COM
>         kdc_ports = 750,88
>         max_life = 10h 0m 0s
>         max_renewable_life = 7d 0h 0m 0s
>     }
> 
> I'd like to note that when I copied this configuration file to a Debian system
> (and made the appropriate adjustments to the file paths), it works as expected;
> ticket lifetimes are limited by max_life and max_renewable_life.
> 
> But on Gentoo, it doesn't work as expected.  Tickets are good for up to 24
> hours - the client can request a shorter period.  However, the KDC server
> should be able to limit the ticket length's maximum life.  It doesn't - I can
> set the server to have a max_life of 30 seconds and it'll give out tickets good
> for 24 hours.  (I am restarting the KDC after making changes, of course.)
> 
> And again, on Gentoo - they can't be renewed for the length of time specified
> in /etc/kdc.conf.  Instead, renewal expires the second it's created - case in
> point:
> 
> klist
> Ticket cache: FILE:/tmp/krb5cc_46669
> Default principal: troyt@FOO.BAR.COM
> 
> Valid starting     Expires            Service principal
> 12/04/08 10:38:01  12/05/08 10:38:01  krbtgt/FOO.BAR.COM@FOO.BAR.COM
>         renew until 12/04/08 10:38:01
> 
> Note that it's good for 24 hours (instead of the current setting for max_life -
> 10h), and that the renewal expires the moment it was created.
> 

Heath Caldwell (hncaldwell) Is the developer taking care of Kerberos.
Comment 2 Eray Aslan gentoo-dev 2010-07-17 08:16:43 UTC
I cannot reproduce this with mit-krb5-1.8.2.  Please reopen if you disagree.