Reset the maxlife of a kerberos ticket

http://stackoverflow.com/questions/27012033/reset-the-maxlife-of-a-kerberos-ticket-more-than-24h

To change the max-lifetime of a ticket in kerberos from default 24 hrs to 5min follow the following steps:

  1. Add the max_life property to the /var/kerberos/krb5kdc/kdc.conf file. e.g :  // This is the life of keytab
    max_life = 7d
  2. Changed the /etc/krb5.conf file e.g :  // This is the life of ticket cache
    ticket_lifetime = 5min
  3. Changed the default principal krbtgt/EXAMPLE.COM@EXAMPLE.COM Maximum Life Time e.g   //This is the maxlife for default renew life from keytab DANGEROUS!
    kadmin.local
    modprinc -maxlife 5min krbtgt/EXAMPLE.COM@EXAMPLE.COM

NOw we can set the ticket life for 2 min. We can do kinit for user and check the expiry of the ticket by klist.

 

kerberos的tgt时间理解
原创作品,允许转载,转载时请务必以超链接形式标明文章 原始出处 、作者信息和本声明。否则将追究法律责任。http://caiguangguang.blog.51cto.com/1652935/1383723

之前在impala集成kerberos时,遇到了时间相关的问题,当时没有做充分的测试,对某些理解有些问题(http://caiguangguang.blog.51cto.com/1652935/1381323),今天正好做了下测试,总结如下:

1.klist中expires以及renew until是由client端的/etc/krb5.conf配置文件中的参数决定(在没有超过max的情况)。

server端对应的配置为:
ticket_lifetime = 1h
renew_lifetime = 1d
client端对应的配置为:
ticket_lifetime = 4h
renew_lifetime = 5d

2.server端kdc.conf的配置起到限制client的作用。在client的设置超过max的设置时,按max取值
比如server端设置

max_life = 25h
max_renewable_life = 71d
client端设置
ticket_lifetime = 40h
renew_lifetime = 200d
klist的结果为server配置的值:
Valid starting Expires Service principal
03/25/14 11:55:41 03/26/14 12:55:41 krbtgt/KERBEROS_HADOOP@KERBEROS_HADOOP
renew until 06/03/14 11:55:41

3.kdc.conf配置的更改对新建的principal会立即生效,旧的不会生效,如果需要对旧的principal生效,需要modprinc
比如:

modprinc -maxlife 32days -maxrenewlife 32days +allow_renewable krbtgt/REALM

4.理解ticket_lifetime和renew_lifetime
超过renew_lifetime时间之后,不能kinit -R,kinit -R不会改变tgt cache的renew until时间,如果想要改变tgt cache的renew until时间
可以使用kinit -r xx来renew tgt,最大时间由max_renewable_life限制。

ticket_lifetime = 40w
renew_lifetime = 200w
klist
Valid starting Expires Service principal
03/25/14 12:04:25 03/25/14 12:05:05 krbtgt/KERBEROS_HADOOP@KERBEROS_HADOOP
        renew until 03/25/14 12:07:45
 date
Tue Mar 25 12:05:38 CST 2014
  #超过了expires的时间,但是没有超过renew until的时间
kinit -R
  #可以renew,renew until的时间不会变
klist
Valid starting Expires Service principal
03/25/14 12:05:46 03/25/14 12:06:26 krbtgt/KERBEROS_HADOOP@KERBEROS_HADOOP
        renew until 03/25/14 12:07:45
date
  #超过renew until的时间
Tue Mar 25 12:08:04 CST 2014
kinit -R
 #不能renew
kinit(v5): Ticket expired while renewing credentials

5.w不代表week的意思,是s的意思(和不带单位一样)

6.如果renew_lifetime 的时间小于ticket_lifetime的时间,则renew until和Expires 时间相同,运行kinit -R不会生效,但是可以运行kinit -r xx

ticket_lifetime = 60
renew_lifetime = 10
Valid starting Expires Service principal
03/25/14 12:25:38 03/25/14 12:26:38 krbtgt/KERBEROS_HADOOP@KERBEROS_HADOOP
        renew until 03/25/14 12:26:38
date && kinit -R ;klist
Tue Mar 25 12:27:29 CST 2014
Valid starting Expires Service principal
03/25/14 12:27:29 03/25/14 12:27:46 krbtgt/KERBEROS_HADOOP@KERBEROS_HADOOP
        renew until 03/25/14 12:27:46
date&&kinit -k -t hdfs.keytab hdfs/xxxxx@KERBEROS_HADOOP -r 10d;klist
Tue Mar 25 12:36:49 CST 2014
Valid starting Expires Service principal
03/25/14 12:36:49 03/25/14 12:37:49 krbtgt/KERBEROS_HADOOP@KERBEROS_HADOOP
        renew until 04/04/14 12:36:49
  #renew life time变化了

7.renew_lifetime的优先级高于max_renewable_life,如果renew_lifetime<=max_renewable_life,
则取renew_lifetime,renew_lifetime>=max_renewable_life时,也是取renew_lifetime的值

ticket_lifetime = 60
renew_lifetime = 120
max_life = 25h
max_renewable_life = 10
Valid starting Expires Service principal
03/25/14 12:42:20 03/25/14 12:43:20 krbtgt/KERBEROS_HADOOP@KERBEROS_HADOOP
        renew until 03/25/14 12:44:20

本文出自 “菜光光的博客” 博客,请务必保留此出处http://caiguangguang.blog.51cto.com/1652935/1383723

 

1 23

3 thoughts on “Reset the maxlife of a kerberos ticket

  1. huahaha aku ga kena supertrap nya loh.. ryan tuh yang kena hihihi aku juga masih belum measnleyeikan seri postingan #abcbali. kesibukan melanda 2 minggu ini *alasan* 😆

Leave a Reply

Your email address will not be published. Required fields are marked *