[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ticket Renewal not working.



At 8:10 PM +0200 7/29/03, Love wrote:
>Love <lha@stacken.kth.se> writes:
>
>>  "Henry B. Hotz" <hotz@jpl.nasa.gov> writes:
>>
>>>  KDC is Heimdal on NetBSD-current from a few months ago, something like
>>>  0.51 or 0.52 I think.  The principal has reasonable lifetime limits,
>>>  something like a day, with at least a week renewable.
>>>
>>>  As of the MIT 1.3 code base the GUI in KfW and KfM will auto-renew
>>>  tickets so I'd like to make sure that feature works.
>>
>>  You have to request renewable ticket before they are renewable.
>>
>>  kinit --renewable
>
>Or
>
>kinit --renewable-life='1 week'
>
>or add it to krb5.conf (see manpage)

Added an appdefaults section to the krb5.conf file on Solaris and it 
works fine.  Presume NetBSD will be same.  I probably should have 
noticed that renewable was a separate flag that had to be requested. 
Sorry for the noise.

However on OSX.2.6 I still have the following:

>[laphotz:dist/krb-doc/afs-krb5] hotz% kinit -r 7d -l 1d hotz@HOTZ.JPL.NASA.GOV
>Kerberos Login:
>Please enter the password for hotz@HOTZ.JPL.NASA.GOV:
>MacLeland: Couldn't get jpl.nasa.gov AFS tickets: Don't have 
>Kerberos ticket-granting ticket
>[laphotz:dist/krb-doc/afs-krb5] hotz% klist -f
>Kerberos 5 ticket cache: 'API:0'
>Default Principal: hotz@HOTZ.JPL.NASA.GOV
>Valid Starting     Expires            Service Principal
>07/29/03 13:04:44  07/30/03 13:04:37 
>krbtgt/HOTZ.JPL.NASA.GOV@HOTZ.JPL.NASA.GOV
>         renew until 08/05/03 13:04:37, FPRI
>
>Kerberos 4 ticket cache: '0'
>Default Principal: hotz@HOTZ.JPL.NASA.GOV
>Issued             Expires            Service Principal
>07/29/03 13:04:37  07/30/03 14:30:58 
>krbtgt.HOTZ.JPL.NASA.GOV@HOTZ.JPL.NASA.GOV
>
>[laphotz:dist/krb-doc/afs-krb5] hotz% kinit -R
>kinit: Error getting initial tickets: You do not have tickets for 
>this principal and Kerberos version
>[laphotz:dist/krb-doc/afs-krb5] hotz%

Now I don't believe K4 tickets can be renewable so I presume that has 
something to do with the error.  Also MIT kinit doesn't give you a 
way to only operate on the K5 ticket.  I'd have to disable K4 to test 
my theory.
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu