2

I am using MIT kerberos 5 on my machine to authenticate a user. This grants the ticket to the user. I want to reset the maxlife of a ticket for more than 24 hrs. By default the max life of a kerberos ticket is 24 hrs. I have tried the following steps:

  1. Changed the /var/kerberos/krb5kdc/kdc.conf I did not find max-life so I set max_life = 168h 0m 0s
  2. Changed the /etc/krb5.conf Changed the default ticket_lifetime from 24 hrs to ticket_lifetime = 168h 0m 0s
  3. By default the principal lifetime is Maximum ticket life: 1 days 00:00:00

  4. I changed it to 168h with the following command

    kadmin.local:  modify_principal -maxlife 168hours testkerb

  5. It changed to - Maximum ticket life: 7 days 00:00:00

  6. Then I did a kinit for the user and check with klist.

The klist result still shows the ticket life as 24 hrs. Output of klist is as follows:

Valid starting     Expires            Service principal
**11/19/14 12:51:59  11/20/14 12:51:59  krbtgt/EXAMPLE.COM@EXAMPLE.COM**
    renew until 11/19/14 12:51:59

If someone knows please tell me where am I doing the mistake. Less than 24 hrs I am able to change the ticket life but more than 24 hrs it does not reflect in the klist. I would appreciate the help.

slm
  • 15,396
  • 12
  • 109
  • 124
Avinav Mishra
  • 718
  • 9
  • 12

1 Answers1

4

Hi i got the working step so updating it. To change the max-lifetime of a ticket in kerberos from default 24 hrs to more than 24 hrs follow the following steps:

  1. Add the max_life property to the /var/kerberos/krb5kdc/kdc.conf file.

    max_life = 168h 0m 0s

  2. Changed the /etc/krb5.conf file.

    ticket_lifetime = 168h 0m 0s

  3. Changed the default principal krbtgt/EXAMPLE.COM@EXAMPLE.COM Maximum Life Time.

    modprinc -maxlife 168hours krbtgt/EXAMPLE.COM@EXAMPLE.COM

Now we can set the ticket life up to 7 days i.e. 168 hrs. We can do kinit for user and check the expiry of the ticket by klist.

You can also use the kadmin command and getprinc to see the state of the principal.

kadmin:  getprinc krbtgt/EXAMPLE.COM@EXAMPLE.COM
Principal: krbtgt/EXAMPLE.COM@EXAMPLE.COM
Expiration date: [never]
Last password change: Thu Jan 05 15:23:04 EST 2017
Password expiration date: [none]
Maximum ticket life: 0 days 168:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Jun 30 08:23:23 EDT 2017 (root/admin@EXAMPLE.COM)
Last successful authentication: Fri Jun 30 08:16:47 EDT 2017
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 4
Key: vno 3, arcfour-hmac, no salt
Key: vno 3, des3-cbc-sha1, no salt
Key: vno 3, des-cbc-crc, no salt
Key: vno 3, aes256-cts-hmac-sha1-96, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
slm
  • 15,396
  • 12
  • 109
  • 124
Avinav Mishra
  • 718
  • 9
  • 12