[OpenAFS] OpenAFS + Kerb5: lifetimes

Derrick J Brashear shadow@dementia.org
Fri, 13 Jul 2007 01:02:54 -0400 (EDT) 

On Thu, 12 Jul 2007, Jeff Blaine wrote:

> I don't know if you missed it, but I did and replied
> already.  kinit -l7d did nothing worthwhile.

Apparently I did. Damn.

>
> Derrick J Brashear wrote:
>> sure, but ignore the config files and give kinit a lifetime switch
>> 
>> On Thu, 12 Jul 2007, Jeff Blaine wrote:
>> 
>>> This is MIT Kerberos as shipped with RHELv4.
>>> 
>>> ticket_lifetime = 2d in [libdefaults] of krb5.conf buys
>>> me nothing.  ticket_lifetime is not a documented option
>>> for [libdefaults] according to the official MIT docs.
>>> 
>>> ticket_lifetime=2d as an option to pam_krb5RA.so buys
>>> me nothing.
>>> 
>>> Jul 12 17:24:06 rcf-kerbtest-linux sshd: (pam_krb5): none: 
>>> pam_sm_authenticate: entry (0x1)
>>> Jul 12 17:24:06 rcf-kerbtest-linux sshd: (pam_krb5): jblaine: attempting 
>>> authentication as jblaine@RCF.MITRE.ORG
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd: (pam_krb5): jblaine: 
>>> pam_sm_authenticate: exit (success)
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4367]: Accepted 
>>> keyboard-interactive/pam for jblaine from ::ffff:129.83.10.14 port 60577 
>>> ssh2
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd(pam_unix)[4370]: session opened 
>>> for user jblaine by (uid=0)
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_krb5): none: 
>>> pam_sm_setcred: entry (0x2)
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_krb5): none: no 
>>> context found, creating one
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_krb5): jblaine: found 
>>> initial ticket cache at /tmp/krb5cc_pam_MB3OqY
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_krb5): jblaine: 
>>> initializing ticket cache FILE:/tmp/krb5cc_26560_HBBo23
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_krb5): jblaine: 
>>> pam_sm_setcred: exit (success)
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_afs_session): 
>>> pam_sm_open_session: entry (0x0)
>>> Jul 12 17:24:10 rcf-kerbtest-linux sshd[4370]: (pam_afs_session): running 
>>> /usr/afsws/bin/aklog as UID 26560
>>> Jul 12 17:24:11 rcf-kerbtest-linux sshd[4370]: (pam_afs_session): 
>>> pam_sm_open_session: exit (success)
>>> Jul 12 17:24:11 rcf-kerbtest-linux sshd[4370]: (pam_krb5): jblaine: 
>>> pam_sm_setcred: entry (0x8)
>>> Jul 12 17:24:11 rcf-kerbtest-linux sshd[4370]: (pam_krb5): jblaine: 
>>> pam_sm_setcred: exit (success)
>>> 
>>> ~:rcf-kerbtest-linux> /usr/kerberos/bin/klist
>>> Ticket cache: FILE:/tmp/krb5cc_26560_zdQIVJ
>>> Default principal: jblaine@RCF.MITRE.ORG
>>> 
>>> Valid starting     Expires            Service principal
>>> 07/12/07 17:25:36  07/13/07 17:25:36 krbtgt/RCF.MITRE.ORG@RCF.MITRE.ORG
>>>        renew until 07/12/07 17:25:36
>>> 07/12/07 17:25:36  07/13/07 17:25:36 afs@RCF.MITRE.ORG
>>>        renew until 07/12/07 17:25:36
>>> 
>>> 
>>> Kerberos 4 ticket cache: /tmp/tkt26560
>>> klist: You have no tickets cached
>>> ~:rcf-kerbtest-linux> tokens
>>> 
>>> Tokens held by the Cache Manager:
>>> 
>>> User's (AFS ID 26560) tokens for afs@rcf.mitre.org [Expires Jul 13 17:25]
>>>   --End of list--
>>> ~:rcf-kerbtest-linux>
>>> 
>>> Derrick J Brashear wrote:
>>>> kinit -l7d ?
>>>> 
>>>> On Thu, 12 Jul 2007, Jeff Blaine wrote:
>>>> 
>>>>> I spoke way too soon.
>>>>> 
>>>>> One of them was off.
>>>>> 
>>>>> They're all three set to "2 days" now as a test and I still only
>>>>> get tickets and tokens for 24hrs.
>>>>> 
>>>>> Jeffrey Altman wrote:
>>>>>> Jeff Blaine wrote:
>>>>>>> I'm using OpenAFS 1.4.3, pam_afs_session, and pam_krb5 from
>>>>>>> Russ Alberry.  Can anyone shed light on why my tickets and
>>>>>>> tokens have only a 24hr lifetime?
>>>>>>> 
>>>>>>> kadmin.local:  getprinc jblaine
>>>>>>> Principal: jblaine@RCF.MITRE.ORG
>>>>>>> Expiration date: [never]
>>>>>>> Last password change: Mon Apr 23 14:50:16 EDT 2007
>>>>>>> Password expiration date: [none]
>>>>>>> Maximum ticket life: 7 days 00:00:00
>>>>>>> Maximum renewable life: 0 days 00:00:00
>>>>>>> Last modified: Tue May 01 14:32:01 EDT 2007 (root/admin@RCF.MITRE.ORG)
>>>>>>> Last successful authentication: [never]
>>>>>>> Last failed authentication: [never]
>>>>>>> Failed password attempts: 0
>>>>>>> Number of keys: 2
>>>>>>> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
>>>>>>> Key: vno 1, DES cbc mode with CRC-32, no salt
>>>>>>> Attributes:
>>>>>>> Policy: [none]
>>>>>>> kadmin.local:
>>>>>> 
>>>>>> What are the maximum ticket lifetimes for your
>>>>>> krbtgt/RCF.MITRE.ORG@RCF.MITRE.ORG and afs[/cell]@RCF@MITRE.ORG
>>>>>> principals?
>>>>>> 
>>>>>> The maximum lifetime is the minimum of the user, tgt and service 
>>>>>> principals.
>>>>>> 
>>>>>> Jeffrey Altman
>>>>> _______________________________________________
>>>>> OpenAFS-info mailing list
>>>>> OpenAFS-info@openafs.org
>>>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>>> 
>>>> 
>>> _______________________________________________
>>> OpenAFS-info mailing list
>>> OpenAFS-info@openafs.org
>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>> 
>> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>