Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Unable to change Kerberos Ticket Life and Renewal Life
1,048 views
Skip to first unread message
Gaurav Dasgupta
Apr 18, 2013, 2:45:06 AM4/18/13
to Kerb...@mit.edu
Hi All,
I have MIT Kerberos setup in a CentOS 6 cluster. Everything is working fine
except one thing. I want to change the default ticket life for all the
principals and their renewal time also. For that I have first changed the *
/etc/krb5.conf* to change the value of *ticket_lifetime = 7d* and
*renew_lifetime
= 30d*.
Then I restarted the *krb5kdc* and *kadmin* services. Then, from the *
Kadmin.local* shell, I used the following commands:
modprinc -maxrenewlife 7day krbtgt/MY_REALM
modprinc -maxrenewlife 7day +allow_renewable gaurav
*Note*: *krbtgt/MY_REALM* is the default service principal and *gaurav* is
a user principal.
Now, when I am doing *kinit* for *gaurav*, and then *klist* to check the
ticket details, I cannot see the new ticket_lifetime and renew_lifetime
reflected. Its showing the old (default) values of 24h (ticket_lifetime)
and 7d (renew_lifetime).
I have also tried the command: *kinit -l 7d*. But this is also not working.
Can someone tell me that how else I can change the ticket_lifetime and
renew_lifetime for all the principals?
Thanks,
Gaurav
I have MIT Kerberos setup in a CentOS 6 cluster. Everything is working fine
except one thing. I want to change the default ticket life for all the
principals and their renewal time also. For that I have first changed the *
/etc/krb5.conf* to change the value of *ticket_lifetime = 7d* and
*renew_lifetime
= 30d*.
Then I restarted the *krb5kdc* and *kadmin* services. Then, from the *
Kadmin.local* shell, I used the following commands:
modprinc -maxrenewlife 7day krbtgt/MY_REALM
modprinc -maxrenewlife 7day +allow_renewable gaurav
*Note*: *krbtgt/MY_REALM* is the default service principal and *gaurav* is
a user principal.
Now, when I am doing *kinit* for *gaurav*, and then *klist* to check the
ticket details, I cannot see the new ticket_lifetime and renew_lifetime
reflected. Its showing the old (default) values of 24h (ticket_lifetime)
and 7d (renew_lifetime).
I have also tried the command: *kinit -l 7d*. But this is also not working.
Can someone tell me that how else I can change the ticket_lifetime and
renew_lifetime for all the principals?
Thanks,
Gaurav
Tiago Elvas
Apr 18, 2013, 4:23:58 AM4/18/13
to Gaurav Dasgupta, kerb...@mit.edu
Hi Gaurav,
I have received great help from this mailing list for the same issue.
I think you'll find useful information in this topic:
http://serverfault.com/questions/132123/how-to-change-the-kerberos-default-ticket-lifetime
Best regards,
Tiago
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
I have received great help from this mailing list for the same issue.
I think you'll find useful information in this topic:
http://serverfault.com/questions/132123/how-to-change-the-kerberos-default-ticket-lifetime
Best regards,
Tiago
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
rohit sarewar
Apr 18, 2013, 4:34:37 AM4/18/13
to Tiago Elvas, kerb...@mit.edu
Hi Tiago
As an Administrator , how can I renew all principals using a command.
There are large number of principals in my case.
Regards
Rohit Sarewar
As an Administrator , how can I renew all principals using a command.
There are large number of principals in my case.
Regards
Rohit Sarewar
Gaurav Dasgupta
Apr 18, 2013, 4:56:44 AM4/18/13
to rohit sarewar, kerb...@mit.edu
Thanks Tiago. The link helped me identify what I was missing. And now the
issue is solved.
As Rohit has asked, even I would like to find out if there is a single
command using which I can modify all the principals in a shot instead of
modifying them one by one.
Thanks,
Gaurav
issue is solved.
As Rohit has asked, even I would like to find out if there is a single
command using which I can modify all the principals in a shot instead of
modifying them one by one.
Thanks,
Gaurav
Tiago Elvas
Apr 18, 2013, 5:00:02 AM4/18/13
to rohit sarewar, kerb...@mit.edu
Hi,
I honestly don't know how to update all the users at the same time inside
kadmin. However....
My guess would be to:
- Create a keytab with root/admin credentials (I would suggest you
create a principal named root_script/admin or something)
- List all the principals in a bash script
- Loop in the list and modify all the principals using the keytab
previously created to connect through kadmin using the command:
- kadmin -p root_script/admin -k -t <keytab_filename> -q <query>
- <query> should be something a command as you were inside kadmin:
"modprinc...." to do whatever you want
Hope the info was helpful.
Best regards,
Tiago
I honestly don't know how to update all the users at the same time inside
kadmin. However....
My guess would be to:
- Create a keytab with root/admin credentials (I would suggest you
create a principal named root_script/admin or something)
- List all the principals in a bash script
- Loop in the list and modify all the principals using the keytab
previously created to connect through kadmin using the command:
- kadmin -p root_script/admin -k -t <keytab_filename> -q <query>
- <query> should be something a command as you were inside kadmin:
"modprinc...." to do whatever you want
Hope the info was helpful.
Best regards,
Tiago
Gaurav Dasgupta
Apr 18, 2013, 5:45:27 AM4/18/13
to Tiago Elvas, kerb...@mit.edu
Got it. Will try this.
Thanks,
Gaurav
Thanks,
Gaurav
Dennis Davis
Apr 18, 2013, 7:22:00 AM4/18/13
to Tiago Elvas, kerb...@mit.edu
On Thu, 18 Apr 2013, Tiago Elvas wrote:
> From: Tiago Elvas <tiago...@gmail.com>
> To: rohit sarewar <rohits...@gmail.com>
> Cc: "kerb...@mit.edu" <kerb...@mit.edu>
> Date: Thu, 18 Apr 2013 10:00:02
> Subject: Re: Unable to change Kerberos Ticket Life and Renewal Life
>
> I honestly don't know how to update all the users at the same time inside
> kadmin. However....
>
> My guess would be to:
>
> - Create a keytab with root/admin credentials (I would suggest you
> create a principal named root_script/admin or something)
> - List all the principals in a bash script
> - Loop in the list and modify all the principals using the keytab
> previously created to connect through kadmin using the command:
> - kadmin -p root_script/admin -k -t <keytab_filename> -q <query>
> - <query> should be something a command as you were inside kadmin:
> "modprinc...." to do whatever you want
That should work. An alternative is to write a perl program for
this kind of work. You'll need a couple of perl modules:
http://search.cpan.org/~jhorwitz/Krb5-1.9/Krb5.pm
http://search.cpan.org/~sjquinney/Authen-Krb5-Admin-0.17/Admin.pm
I've just removed a large number of obsolete principals from our MIT
kerberos database using such perl program built against the above
perl modules. Worked a treat.
In a similar vein, we've recently introduced a simple default
kerberos policy to add password histories to our kerberos
principals. I used a perl program to retro-actively apply this
policy to all existing principals.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H....@bath.ac.uk Phone: +44 1225 386101
> From: Tiago Elvas <tiago...@gmail.com>
> To: rohit sarewar <rohits...@gmail.com>
> Cc: "kerb...@mit.edu" <kerb...@mit.edu>
> Date: Thu, 18 Apr 2013 10:00:02
> Subject: Re: Unable to change Kerberos Ticket Life and Renewal Life
>
> I honestly don't know how to update all the users at the same time inside
> kadmin. However....
>
> My guess would be to:
>
> - Create a keytab with root/admin credentials (I would suggest you
> create a principal named root_script/admin or something)
> - List all the principals in a bash script
> - Loop in the list and modify all the principals using the keytab
> previously created to connect through kadmin using the command:
> - kadmin -p root_script/admin -k -t <keytab_filename> -q <query>
> - <query> should be something a command as you were inside kadmin:
> "modprinc...." to do whatever you want
this kind of work. You'll need a couple of perl modules:
http://search.cpan.org/~jhorwitz/Krb5-1.9/Krb5.pm
http://search.cpan.org/~sjquinney/Authen-Krb5-Admin-0.17/Admin.pm
I've just removed a large number of obsolete principals from our MIT
kerberos database using such perl program built against the above
perl modules. Worked a treat.
In a similar vein, we've recently introduced a simple default
kerberos policy to add password histories to our kerberos
principals. I used a perl program to retro-actively apply this
policy to all existing principals.
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H....@bath.ac.uk Phone: +44 1225 386101
0 new messages