Extending Kerberos ticket lifetime?

[VirtualWolf]

I figured this’d be easy, just use the Kerberos.app on the client and bump up the maximum ticket lifetime, but it doesn’t actually seem to have any effect. I found this on the Apple Discussion Boards but no-one actually replied to it.

Any thoughts? TIA!

[darkstar]

The max_life and max_renewable_life lines in the kdc.conf determine how long your ticket will last or how long you may renew it for.

MIT’s Mac Kerberos site has some pretty good documentation.

http://web.mit.edu/macdev/KfM/Common/Documentation/documentation.html

If you’re going to mess with your kdc.conf file you might check out the password dictionary option. At the very least it’s a way to get rid of the “No dictionary file specified, continuing without one” error message every time Kerberos starts up. Pay attention if you’re running any replicas. You’ll probably have to update the replica configurations by hand to match whatever changes you make to the master

[VirtualWolf]

Hmmm. I don’t actually seem to have a kdc.conf file. Looking at the documentation, /Library/Preferences/edu.mit.Kerberos should do the same thing, yes?

And forgive me if I seem dense, but the changes I’m making should be on that edu.mit.Kerberos file on the server, and I don’t have to change them anywhere else? I don’t have any replicas. Also, I assume I need to restart Kerberos to get it to read these changes (and if so, how)?

Thanks!

[darkstar]

No, the edu file is different. The other one is here: /var/db/krb5kdc/kdc.conf

It’s not really difficult, but I crashed and burned a lot of server configurations before getting to that point. Your mileage may vary.

[VirtualWolf]

Crap. I’ve changed the maximum ticket lifetime to 21 days on the server and rebooted it, but when I try to get a ticket above ten hours, I [i]still[/i] get 10:01. 🙁 It just does not want to go higher than that. Argh.

[dkallan]

Hi guys,

Assuming that you are talking about OS X Server with Open Directory, /var/db/krb5kdc/kdc.conf is automatically generated, so any changes you make will be overwritten. You will need to make your permanent changes to the OpenLDAPv3 database in Open Directory, which you can find under cn=config,cn=KerberosKDC as the attribute (or key) “apple-kdc-configdata”. You will need to do this as the Open Directory administrator (for example, “uid=diradmin,cn=users,dc=[MYHOST],dc=[MYDOMAIN],dc=com”).

You can check the current file from the command line using dscl, as in:
[code] $ dscl -u diradmin /LDAPv3/127.0.0.1 -read /Config/KerberosKDC apple-kdc-configdata[/code]However, I would advise against using the command line to [u]change[/u] attributes containing binary data such as linefeeds. You could end up with one continuous line that is unreadable by the KDC daemon. Furthermore, the -url option does not seem to work for changing attributes with escape sequences. I recommend using a utility such as Apache’s LDAP Studio (http://directory.apache.org/ldapstudio/) to edit multi-line values (you may want to ensure in the hex viewer that the line separators are Unix linefeeds (0x0A) and not Mac carriage returns (0x0D).

Once your changes are complete, you may reboot. If you don’t want to reboot, you can make the same change evanescently to the kdc.conf file, then kick over the krb5kdc (or kdcmond) daemon to propagate the changes.

To test for your ticket lifetime, go to the command line for the user in question, and run kinit -l 2d (lifetime of two days).

If Kerberos still disallows you from requesting tickets with lifetimes greater than ten hours, there may be another step. On your server, go to kadmin as the Open Directory administrator principal (for example, kadmin -p diradmin). You can then modify the Ticket-Granting Ticket principal to allow for longer ticket/renew times (modprinc -maxlife 24hours -maxrenewlife 14days +allow_renewable krbtgt/[REALM]) and also for your own user principal (modprinc -maxlife 24hours -maxrenewlife 14days +allow_renewable [USERNAME]).

My two cents.

Daron

[VirtualWolf]

Thanks Daron!

However, I’m a bit of a n00b at all this, so I’m unsure of how to actually go about doing what you suggest. 😉 The dscl command does return the ticket lifetime as being 10 hours. I’ve tried using that LDAP Studio app, but it doesn’t want to actually connect… it comes up with a message saying:

simple bind failed: sprite.core:389
Remote host closed connection during handshake
SSL peer shut down incorrectly

I’m pretty sure I understand the rest of it! 😉

[VirtualWolf]

Ok, so with a bit of fiddling around I’ve got LDAP Studio worked out, the maximum life has been changed to 7 days, that dscl command returning the proper details, but even after restarting the kdcmond daemon and making those other changes with kadmin you suggested, it’s not giving me longer than 10 hours. 🙁

[VirtualWolf]

Ah HA!

I forgot to change the ticket options in the Kerberos app (in Preferences>Default Ticket Options and Time Ranges tabs). It’s all working correctly now.

Many thanks, Daron!

[dkallan]

By the way, as an addendum to my earlier post, I was recently doing something else in my LDAP directory when I discovered that these types of multi-line edits can be done directly within the OS X Server Workgroup Manager–no need to use LDAP Studio or anything. What a time saver! I can’t believe I overlooked it for all this time!

Just make sure you have the Inspector enabled in Workgroup Manager and view the Config section. The Inspector is that little target-shaped tab to the right of Users, Groups and Machines. Inside the Config section you will see your KerberosKDC configuration. Select apple-kdc-configdata and hit the Edit… button. Obviously, to do this, you would need to be authenticated as an Open Directory administrator.

Note: You can also edit your apple-xmlplist within cn=Config,cn=KerberosClient if you would like to add something like ticket_lifetime and renew_lifetime to your libdefaults (note that these durations should be specified as 30s or 15m or 10h or 1d). This gets transformed and pushed to your OS X clients as the /Library/Preferences/edu.mit.kerberos file. Additionally, if you are curious about how to enable your screen saver to renew or request tickets when password protected, there is a great tip in the macosxhints forum about [url=http://forums.macosxhints.com/showthread.php?t=40129]how to modify your /etc/authorization file[/url] on your client machines.

Cheers,

Daron Kallan
New York, NY USA

[Author]

Posts