Summary: | pam_krb5 ignores ticket lifetime configuration in /etc/krb5.conf | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | basarevych | ||||
Component: | bin | Assignee: | Dag-Erling Smørgrav <des> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Some People | CC: | des | ||||
Priority: | Normal | Flags: | des:
mfc-stable11+
des: mfc-stable10+ |
||||
Version: | 11.0-RELEASE | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
Sounds like a library issue to me, but I will investigate. Created attachment 180461 [details]
Load default options before requesting a TGT
Please try this patch:
$ cd /usr/src/lib/libpam/modules/pam_krb5
$ patch pam_krb5.c </path/to/patch
$ make obj && make depend && make && sudo make install
There is no need to reload or restart anything; all subsequent invocations will use the patched module.
It works, I am getting tickets for 1 day now as expected. Thank you A commit references this bug: Author: des Date: Fri Mar 3 14:06:22 UTC 2017 New revision: 314598 URL: https://svnweb.freebsd.org/changeset/base/314598 Log: Load default options before requesting a ticket. PR: 213909 Reported by: basarevych@gmail.com MFC after: 1 week Changes: head/lib/libpam/modules/pam_krb5/pam_krb5.c A commit references this bug: Author: des Date: Sun Mar 12 13:22:35 UTC 2017 New revision: 315151 URL: https://svnweb.freebsd.org/changeset/base/315151 Log: MFH (r314598): load default options before requesting ticket PR: 213909 Changes: _U stable/11/ stable/11/lib/libpam/modules/pam_krb5/pam_krb5.c A commit references this bug: Author: des Date: Sun Mar 12 13:23:23 UTC 2017 New revision: 315152 URL: https://svnweb.freebsd.org/changeset/base/315152 Log: MFH (r314598): load default options before requesting ticket PR: 213909 Changes: _U stable/10/ stable/10/lib/libpam/modules/pam_krb5/pam_krb5.c |
I am using NIS and Kerberos from the base system of FreeBSD 11. Whenever I login to workstation (text console) I get keys like this: > klist Credentials cache: FILE:/tmp/krb5cc_1001 Principal: ross@LAN Issued Expires Principal Oct 30 09:29:12 2016 Oct 30 19:29:12 2016 host/desktop.lan@LAN Oct 30 09:29:12 2016 Oct 30 19:29:12 2016 krbtgt/LAN@LAN They are valid for exactly 10 hours. However in /etc/krb5.conf I have this: [appdefaults] pam = { ticket_lifetime = 1d default_lifetime = 1d renew_lifetime = 1d } [libdefaults] default_realm = LAN ticket_lifetime = 1d default_lifetime = 1d renew_lifetime = 1d [domain_realm] .lan = LAN [realms] LAN = { kdc = coffin.lan admin_server = coffin.lan kpasswd_server = coffin.lan default_domain = lan } If I run "kinit ross" manually then I get the tickets for one day as expected.