On 11/17/2020 1:26 PM, Greg Hudson (ghud...@mit.edu) wrote: > On 11/17/20 12:53 PM, Jeffrey Altman wrote: >> Just to set the record straight, Kerberos service tickets have never >> been renewable unless they were obtained as initial tickets. Only >> TGTs are renewable. This is true for MIT and Heimdal as well as >> Active Directory. > > Both initial and non-initial non-TGTs are renewable with MIT krb5: > > $ make testrealm > $ kadmin.local modprinc -maxrenewlife 1d host/small-gods > $ kadmin.local modprinc -maxrenewlife 1d user > $ kadmin.local modprinc -maxrenewlife 1d krbtgt/KRBTEST.COM > $ kinit -S host/small-gods -l 10m -r 20m > Password for u...@krbtest.com: > $ kinit -R -S host/small-gods > $ kinit -l 10m -r 20m user > Password for u...@krbtest.com: > $ kvno host/small-gods > host/small-g...@krbtest.com: kvno = 1 > $ kinit -R -S host/small-gods > $ > > There is even a messaging service at MIT that makes use of renewable > service tickets. > > Prior to release 1.9 the MIT krb5 KDC supported renewing service > tickets, but the client library did not: > https://krbdev.mit.edu/rt/Ticket/Display.html?id=6699 . > >> It used to be the case that "kinit -r" would fail if the requested >> principal was "disallow-renewable". I don't remember if it was because >> the KDC refused to issue any ticket when renewable was requested or if >> it was the client library rejecting the ticket because it didn't satisfy >> the request. > > That was KDC-side. For MIT krb5, the KDC behavior changed in release > 1.12 to just issue a non-renewable ticket in this case.
Greg, Thanks for tracking down the history. I'm glad to see that service tickets can be renewed. The lack of that functionality was always frustrating. Heimdal should change its behavior to match. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
