Forum message detailing the bug (will cover it here as well, of course) http://forums.gentoo.org/viewtopic-t-716885.html I've got a functioning Kerberos KDC - I'm able to get keys, login with kerberized rsh/ssh/telnet, mount kerberized NFS mounts, etc. Forwardable tickets work fine. I have two slave KDC's, also running Gentoo Linux on AMD64, and replication and serving of tickets works equally well from the slave KDC's as from the Master. All three systems are running app-crypt/mit-krb5-1.6.3-r4. However, it seems that no matter what I do, a client can always ask for a ticket whose lifetime is 24 hours. Additionally, the ability to renew tickets expires the second they are created. The Kerberos documentation seems to indicate that, in /etc/kdc.conf, the item "max_life" should dictate the maximum lifetime of a ticket that the KDC will offer. In a similar vein, the item "max_renewable_life" allows an admin to set the maximum length of time a ticket may be renewed. My /etc/kdc.conf is short enough I'll include it in the description: [kdcdefaults] kdc_ports = 750,88 [realms] FOO.BAR.COM = { database_name = /var/lib/krb5kdc/principal admin_keytab = /var/lib/krb5kdc/kadm5.keytab acl_file = /var/lib/krb5kdc/kadm5.acl key_stash_file = /var/lib/krb5kdc/.k5.FOO.BAR.COM kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s } I'd like to note that when I copied this configuration file to a Debian system (and made the appropriate adjustments to the file paths), it works as expected; ticket lifetimes are limited by max_life and max_renewable_life. But on Gentoo, it doesn't work as expected. Tickets are good for up to 24 hours - the client can request a shorter period. However, the KDC server should be able to limit the ticket length's maximum life. It doesn't - I can set the server to have a max_life of 30 seconds and it'll give out tickets good for 24 hours. (I am restarting the KDC after making changes, of course.) And again, on Gentoo - they can't be renewed for the length of time specified in /etc/kdc.conf. Instead, renewal expires the second it's created - case in point: klist Ticket cache: FILE:/tmp/krb5cc_46669 Default principal: troyt@FOO.BAR.COM Valid starting Expires Service principal 12/04/08 10:38:01 12/05/08 10:38:01 krbtgt/FOO.BAR.COM@FOO.BAR.COM renew until 12/04/08 10:38:01 Note that it's good for 24 hours (instead of the current setting for max_life - 10h), and that the renewal expires the moment it was created.
(In reply to comment #0) > Forum message detailing the bug (will cover it here as well, of course) > http://forums.gentoo.org/viewtopic-t-716885.html > > I've got a functioning Kerberos KDC - I'm able to get keys, login with > kerberized rsh/ssh/telnet, mount kerberized NFS mounts, etc. Forwardable > tickets work fine. I have two slave KDC's, also running Gentoo Linux on AMD64, > and replication and serving of tickets works equally well from the slave KDC's > as from the Master. > > All three systems are running app-crypt/mit-krb5-1.6.3-r4. > > However, it seems that no matter what I do, a client can always ask for a > ticket whose lifetime is 24 hours. Additionally, the ability to renew tickets > expires the second they are created. > > The Kerberos documentation seems to indicate that, in /etc/kdc.conf, the item > "max_life" should dictate the maximum lifetime of a ticket that the KDC will > offer. > > In a similar vein, the item "max_renewable_life" allows an admin to set the > maximum length of time a ticket may be renewed. > > My /etc/kdc.conf is short enough I'll include it in the description: > > [kdcdefaults] > kdc_ports = 750,88 > > [realms] > FOO.BAR.COM = { > database_name = /var/lib/krb5kdc/principal > admin_keytab = /var/lib/krb5kdc/kadm5.keytab > acl_file = /var/lib/krb5kdc/kadm5.acl > key_stash_file = /var/lib/krb5kdc/.k5.FOO.BAR.COM > kdc_ports = 750,88 > max_life = 10h 0m 0s > max_renewable_life = 7d 0h 0m 0s > } > > I'd like to note that when I copied this configuration file to a Debian system > (and made the appropriate adjustments to the file paths), it works as expected; > ticket lifetimes are limited by max_life and max_renewable_life. > > But on Gentoo, it doesn't work as expected. Tickets are good for up to 24 > hours - the client can request a shorter period. However, the KDC server > should be able to limit the ticket length's maximum life. It doesn't - I can > set the server to have a max_life of 30 seconds and it'll give out tickets good > for 24 hours. (I am restarting the KDC after making changes, of course.) > > And again, on Gentoo - they can't be renewed for the length of time specified > in /etc/kdc.conf. Instead, renewal expires the second it's created - case in > point: > > klist > Ticket cache: FILE:/tmp/krb5cc_46669 > Default principal: troyt@FOO.BAR.COM > > Valid starting Expires Service principal > 12/04/08 10:38:01 12/05/08 10:38:01 krbtgt/FOO.BAR.COM@FOO.BAR.COM > renew until 12/04/08 10:38:01 > > Note that it's good for 24 hours (instead of the current setting for max_life - > 10h), and that the renewal expires the moment it was created. > Heath Caldwell (hncaldwell) Is the developer taking care of Kerberos.
I cannot reproduce this with mit-krb5-1.8.2. Please reopen if you disagree.