On 11/17/20 12:53 PM, Jeffrey Altman wrote: > Just to set the record straight, Kerberos service tickets have never > been renewable unless they were obtained as initial tickets. Only > TGTs are renewable. This is true for MIT and Heimdal as well as > Active Directory.
Both initial and non-initial non-TGTs are renewable with MIT krb5: $ make testrealm $ kadmin.local modprinc -maxrenewlife 1d host/small-gods $ kadmin.local modprinc -maxrenewlife 1d user $ kadmin.local modprinc -maxrenewlife 1d krbtgt/KRBTEST.COM $ kinit -S host/small-gods -l 10m -r 20m Password for u...@krbtest.com: $ kinit -R -S host/small-gods $ kinit -l 10m -r 20m user Password for u...@krbtest.com: $ kvno host/small-gods host/small-g...@krbtest.com: kvno = 1 $ kinit -R -S host/small-gods $ There is even a messaging service at MIT that makes use of renewable service tickets. Prior to release 1.9 the MIT krb5 KDC supported renewing service tickets, but the client library did not: https://krbdev.mit.edu/rt/Ticket/Display.html?id=6699 . > It used to be the case that "kinit -r" would fail if the requested > principal was "disallow-renewable". I don't remember if it was because > the KDC refused to issue any ticket when renewable was requested or if > it was the client library rejecting the ticket because it didn't satisfy > the request. That was KDC-side. For MIT krb5, the KDC behavior changed in release 1.12 to just issue a non-renewable ticket in this case. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
