[OpenAFS] OpenAFS + Kerb5: lifetimes
Derrick J Brashear
shadow@dementia.org
Fri, 13 Jul 2007 01:02:54 -0400 (EDT)
On Thu, 12 Jul 2007, Jeff Blaine wrote:
> I don't know if you missed it, but I did and replied
> already. kinit -l7d did nothing worthwhile.
Apparently I did. Damn.
>
> Derrick J Brashear wrote:
>> sure, but ignore the config files and give kinit a lifetime switch
>>
>> On Thu, 12 Jul 2007, Jeff Blaine wrote:
>>
>>> This is MIT Kerberos as shipped with RHELv4.
>>>
>>> ticket_lifetime = 2d in [libdefaults] of krb5.conf buys
>>> me nothing. ticket_lifetime is not a documented option
>>> for [libdefaults] according to the official MIT docs.
>>>
>>> ticket_lifetime=2d as an option to pam_krb5RA.so buys
>>> me nothing.
>>>
>>> Jul 12 17:24:06 rcf-kerbtest-linux sshd: (pam_krb5): none:
>>> pam_sm_authenticate: entry (0x1)
>>> Jul 12 17:24:06 rcf-kerbtest-linux sshd: (pam_krb5): jblaine: attempting
>>> authentication as jblaine@RCF.MITRE.ORG
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd: (pam_krb5): jblaine:
>>> pam_sm_authenticate: exit (success)
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4367]: Accepted
>>> keyboard-interactive/pam for jblaine from ::ffff:129.83.10.14 port 60577
>>> ssh2
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd(pam_unix)[4370]: session opened
>>> for user jblaine by (uid=0)
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_krb5): none:
>>> pam_sm_setcred: entry (0x2)
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_krb5): none: no
>>> context found, creating one
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_krb5): jblaine: found
>>> initial ticket cache at /tmp/krb5cc_pam_MB3OqY
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_krb5): jblaine:
>>> initializing ticket cache FILE:/tmp/krb5cc_26560_HBBo23
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_krb5): jblaine:
>>> pam_sm_setcred: exit (success)
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_afs_session):
>>> pam_sm_open_session: entry (0x0)
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_afs_session): running
>>> /usr/afsws/bin/aklog as UID 26560
>>> Jul 12 17:24:11 rcf-kerbtest-linux sshd[4370]: (pam_afs_session):
>>> pam_sm_open_session: exit (success)
>>> Jul 12 17:24:11 rcf-kerbtest-linux sshd[4370]: (pam_krb5): jblaine:
>>> pam_sm_setcred: entry (0x8)
>>> Jul 12 17:24:11 rcf-kerbtest-linux sshd[4370]: (pam_krb5): jblaine:
>>> pam_sm_setcred: exit (success)
>>>
>>> ~:rcf-kerbtest-linux> /usr/kerberos/bin/klist
>>> Ticket cache: FILE:/tmp/krb5cc_26560_zdQIVJ
>>> Default principal: jblaine@RCF.MITRE.ORG
>>>
>>> Valid starting Expires Service principal
>>> 07/12/07 17:25:36 07/13/07 17:25:36 krbtgt/RCF.MITRE.ORG@RCF.MITRE.ORG
>>> renew until 07/12/07 17:25:36
>>> 07/12/07 17:25:36 07/13/07 17:25:36 afs@RCF.MITRE.ORG
>>> renew until 07/12/07 17:25:36
>>>
>>>
>>> Kerberos 4 ticket cache: /tmp/tkt26560
>>> klist: You have no tickets cached
>>> ~:rcf-kerbtest-linux> tokens
>>>
>>> Tokens held by the Cache Manager:
>>>
>>> User's (AFS ID 26560) tokens for afs@rcf.mitre.org [Expires Jul 13 17:25]
>>> --End of list--
>>> ~:rcf-kerbtest-linux>
>>>
>>> Derrick J Brashear wrote:
>>>> kinit -l7d ?
>>>>
>>>> On Thu, 12 Jul 2007, Jeff Blaine wrote:
>>>>
>>>>> I spoke way too soon.
>>>>>
>>>>> One of them was off.
>>>>>
>>>>> They're all three set to "2 days" now as a test and I still only
>>>>> get tickets and tokens for 24hrs.
>>>>>
>>>>> Jeffrey Altman wrote:
>>>>>> Jeff Blaine wrote:
>>>>>>> I'm using OpenAFS 1.4.3, pam_afs_session, and pam_krb5 from
>>>>>>> Russ Alberry. Can anyone shed light on why my tickets and
>>>>>>> tokens have only a 24hr lifetime?
>>>>>>>
>>>>>>> kadmin.local: getprinc jblaine
>>>>>>> Principal: jblaine@RCF.MITRE.ORG
>>>>>>> Expiration date: [never]
>>>>>>> Last password change: Mon Apr 23 14:50:16 EDT 2007
>>>>>>> Password expiration date: [none]
>>>>>>> Maximum ticket life: 7 days 00:00:00
>>>>>>> Maximum renewable life: 0 days 00:00:00
>>>>>>> Last modified: Tue May 01 14:32:01 EDT 2007 (root/admin@RCF.MITRE.ORG)
>>>>>>> Last successful authentication: [never]
>>>>>>> Last failed authentication: [never]
>>>>>>> Failed password attempts: 0
>>>>>>> Number of keys: 2
>>>>>>> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>>>>>>> Key: vno 1, DES cbc mode with CRC-32, no salt
>>>>>>> Attributes:
>>>>>>> Policy: [none]
>>>>>>> kadmin.local:
>>>>>>
>>>>>> What are the maximum ticket lifetimes for your
>>>>>> krbtgt/RCF.MITRE.ORG@RCF.MITRE.ORG and afs[/cell]@RCF@MITRE.ORG
>>>>>> principals?
>>>>>>
>>>>>> The maximum lifetime is the minimum of the user, tgt and service
>>>>>> principals.
>>>>>>
>>>>>> Jeffrey Altman
>>>>> _______________________________________________
>>>>> OpenAFS-info mailing list
>>>>> OpenAFS-info@openafs.org
>>>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>>>
>>>>
>>> _______________________________________________
>>> OpenAFS-info mailing list
>>> OpenAFS-info@openafs.org
>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>
>>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>