I am trying to issue a renewable ticket for my principal using a keytab (MIT KDC, Red Hat 7.4):
su - newuser
kinit -r 7d -kt /etc/security/keytabs/newuser.service.keytab newuser/[email protected]
Looking at the flags:
[newuser@mask1 ~]$ klist -f
Ticket cache: FILE:/tmp/krb5cc_2824
Default principal: newuser/[email protected]
Valid starting Expires Service principal
09/27/2018 09:40:32 09/28/2018 09:40:32 krbtgt/[email protected]
Flags: FI
My /etc/krb5.conf has
[libdefaults]
renew_lifetime = 7d
forwardable = true
default_realm = EXAMPLE.COM
ticket_lifetime = 24h
and my /var/kerberos/krb5kdc/kdc.conf
[realms]
EXAMPLE.COM = {
#master_key_type = aes256-cts
max_renewable_life = 7d 0h 0m 0s
acl_file = /var/kerberos/krb5kdc/kadm5.acl
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
default_principal_flags = +renewable
}
What am I missing to get a renewable ticket?
Update: I was able to make my tickets renewable by doing
kadmin
modprinc -maxrenewlife 7d krbtgt/[email protected]
modprinc -maxrenewlife 7d +allow_renewable newuser/[email protected]
but this means I would need to do it for every principal. How do I make it so that all tickets are generated as renewable by default?
