[OpenAFS] OpenAFS + Kerb5: lifetimes

Jeff Blaine jblaine@kickflop.net
Thu, 12 Jul 2007 23:52:03 -0400


I don't know if you missed it, but I did and replied
already.  kinit -l7d did nothing worthwhile.

Derrick J Brashear wrote:
> sure, but ignore the config files and give kinit a lifetime switch
> 
> On Thu, 12 Jul 2007, Jeff Blaine wrote:
> 
>> This is MIT Kerberos as shipped with RHELv4.
>>
>> ticket_lifetime = 2d in [libdefaults] of krb5.conf buys
>> me nothing.  ticket_lifetime is not a documented option
>> for [libdefaults] according to the official MIT docs.
>>
>> ticket_lifetime=2d as an option to pam_krb5RA.so buys
>> me nothing.
>>
>> Jul 12 17:24:06 rcf-kerbtest-linux sshd: (pam_krb5): none: 
>> pam_sm_authenticate: entry (0x1)
>> Jul 12 17:24:06 rcf-kerbtest-linux sshd: (pam_krb5): jblaine: 
>> attempting authentication as jblaine@RCF.MITRE.ORG
>> Jul 12 17:24:10 rcf-kerbtest-linux sshd: (pam_krb5): jblaine: 
>> pam_sm_authenticate: exit (success)
>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4367]: Accepted 
>> keyboard-interactive/pam for jblaine from ::ffff:129.83.10.14 port 
>> 60577 ssh2
>> Jul 12 17:24:10 rcf-kerbtest-linux sshd(pam_unix)[4370]: session 
>> opened for user jblaine by (uid=0)
>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_krb5): none: 
>> pam_sm_setcred: entry (0x2)
>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_krb5): none: no 
>> context found, creating one
>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_krb5): jblaine: 
>> found initial ticket cache at /tmp/krb5cc_pam_MB3OqY
>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_krb5): jblaine: 
>> initializing ticket cache FILE:/tmp/krb5cc_26560_HBBo23
>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_krb5): jblaine: 
>> pam_sm_setcred: exit (success)
>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_afs_session): 
>> pam_sm_open_session: entry (0x0)
>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_afs_session): 
>> running /usr/afsws/bin/aklog as UID 26560
>> Jul 12 17:24:11 rcf-kerbtest-linux sshd[4370]: (pam_afs_session): 
>> pam_sm_open_session: exit (success)
>> Jul 12 17:24:11 rcf-kerbtest-linux sshd[4370]: (pam_krb5): jblaine: 
>> pam_sm_setcred: entry (0x8)
>> Jul 12 17:24:11 rcf-kerbtest-linux sshd[4370]: (pam_krb5): jblaine: 
>> pam_sm_setcred: exit (success)
>>
>> ~:rcf-kerbtest-linux> /usr/kerberos/bin/klist
>> Ticket cache: FILE:/tmp/krb5cc_26560_zdQIVJ
>> Default principal: jblaine@RCF.MITRE.ORG
>>
>> Valid starting     Expires            Service principal
>> 07/12/07 17:25:36  07/13/07 17:25:36 krbtgt/RCF.MITRE.ORG@RCF.MITRE.ORG
>>        renew until 07/12/07 17:25:36
>> 07/12/07 17:25:36  07/13/07 17:25:36 afs@RCF.MITRE.ORG
>>        renew until 07/12/07 17:25:36
>>
>>
>> Kerberos 4 ticket cache: /tmp/tkt26560
>> klist: You have no tickets cached
>> ~:rcf-kerbtest-linux> tokens
>>
>> Tokens held by the Cache Manager:
>>
>> User's (AFS ID 26560) tokens for afs@rcf.mitre.org [Expires Jul 13 17:25]
>>   --End of list--
>> ~:rcf-kerbtest-linux>
>>
>> Derrick J Brashear wrote:
>>> kinit -l7d ?
>>>
>>> On Thu, 12 Jul 2007, Jeff Blaine wrote:
>>>
>>>> I spoke way too soon.
>>>>
>>>> One of them was off.
>>>>
>>>> They're all three set to "2 days" now as a test and I still only
>>>> get tickets and tokens for 24hrs.
>>>>
>>>> Jeffrey Altman wrote:
>>>>> Jeff Blaine wrote:
>>>>>> I'm using OpenAFS 1.4.3, pam_afs_session, and pam_krb5 from
>>>>>> Russ Alberry.  Can anyone shed light on why my tickets and
>>>>>> tokens have only a 24hr lifetime?
>>>>>>
>>>>>> kadmin.local:  getprinc jblaine
>>>>>> Principal: jblaine@RCF.MITRE.ORG
>>>>>> Expiration date: [never]
>>>>>> Last password change: Mon Apr 23 14:50:16 EDT 2007
>>>>>> Password expiration date: [none]
>>>>>> Maximum ticket life: 7 days 00:00:00
>>>>>> Maximum renewable life: 0 days 00:00:00
>>>>>> Last modified: Tue May 01 14:32:01 EDT 2007 
>>>>>> (root/admin@RCF.MITRE.ORG)
>>>>>> Last successful authentication: [never]
>>>>>> Last failed authentication: [never]
>>>>>> Failed password attempts: 0
>>>>>> Number of keys: 2
>>>>>> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>>>>>> Key: vno 1, DES cbc mode with CRC-32, no salt
>>>>>> Attributes:
>>>>>> Policy: [none]
>>>>>> kadmin.local:
>>>>>
>>>>> What are the maximum ticket lifetimes for your
>>>>> krbtgt/RCF.MITRE.ORG@RCF.MITRE.ORG and afs[/cell]@RCF@MITRE.ORG
>>>>> principals?
>>>>>
>>>>> The maximum lifetime is the minimum of the user, tgt and service 
>>>>> principals.
>>>>>
>>>>> Jeffrey Altman
>>>> _______________________________________________
>>>> OpenAFS-info mailing list
>>>> OpenAFS-info@openafs.org
>>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>>
>>>
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>