Chris Cowan via FreeIPA-users wrote:
> I tried various approached to get Renewable tickets :
> modifying the kdc
> modifying krb5.conf
> using kadmin.local on every replica to modify the principal; which is not
> working - as designed (?)- in IPA
>
> What should I do to get a ticket with the correct R flag from IPA ?
> I don't think this is SSSD related (the service needing the renewable
> ticket this way is Apache Storm)
>
> Thanks a lot!
I'm curious if you ever got an answer or solved this problem? I have users that
will need Kerberos tickets for long running batch jobs.
I found this post from 2012, and am wondering if it is still accurate. Reading through
these archives to see if there are any recent changes/updates.
Rather than digging up an 11-year old thread, what is it you want to do?
There isn't a lot of context from your original post.
kinit -r 24 will get you a 24-hour renewable ticket.
The maximum time is defined by the ticket policy, ipa krbtpolicy-show
There are other ways to avoid expiring tickets but knowing what it is
you're trying to do would help.
rob
> Simo Sorce simo at
redhat.com
> Fri May 18 15:27:57 UTC 2012
>
> Previous message (by thread): [Freeipa-users] howto modify krb principal
attributes without kadmin.local
> Next message (by thread): [Freeipa-users] Problems replicating with Windows 2008
AD
> Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
>
> On Wed, 2012-05-16 at 15:08 -0700, Thomas Jackson wrote:
>>
>>
>> On Tue, May 15, 2012 at 3:24 PM, Simo Sorce <simo at redhat.com> wrote:
>> On Tue, 2012-05-15 at 14:21 -0700, Thomas Jackson wrote:
>> > So going through the documentation it's clearly laid out not
>> to use
>> > kadmin or kadmin.local when using freeipa. I have been
>> unable to find
>> > how to replace this functionality in the documentation.
>> >
>> > If I could use kadmin.local on my kdc I would like to run
>> the
>> > following command....
>> >
>> > modprinc +requires_hwauth user
>> >
>> > Am I going to need to extend/modify the krb5 schema to
>> modify
>> > principals attributes in this way?
>> >
>>
>> For this specific change you can use kadmin.local, but the IPA
>> UI will
>> not report you anything about it.
>>
>> The flags part is still a weak point of the Web UI, if you
>> want you can
>> open a RFE ticket to ask for better support for these flags,
>> we need to
>> do it at some point we simply haven't yet as we concentrated
>> on more
>> important and pressing issue this far.
>>
>> Simo.
>>
>> --
>> Simo Sorce * Red Hat, Inc * New York
>>
>>
>> The following errors lead me to believe I am missing something as
>> kadmin.local appears to have access issues when trying to modify a
>> principle.
>>
>> kadmin.local: modprinc +requires_hwauth user
>> modify_principal: User modification failed: Insufficient access while
>> modifying "user".
>>
>> For good measure I've modified /var/kerberos/krb5kdc/kadm5.
>> acl with the correct ACLs for the domain and still encounter the same
>> errors.
>>
>> -ipa 2.1.3
>
> Ok I took a second look at how to make it simple.
>
> First of all I misremembered about the fact these flags were saved in
> the krbExtraData field. They are not, there is a specific attribute for
> all ticket flags that is called krbTicketFlags.
>
> This attribute is normally not set on entries, as the defaults for the
> realm are used, however the requires_hwauth flag is not a default and
> you want to enable it only for user principals, not all principals on
> the server.
>
> That can be easily done by adding the krbTicketFlags attribute.
> However in order to do this properly you need to calculate what value to
> set based on this (partial) table:
>
> KRB5_KDB_DISALLOW_POSTDATED 0x00000001
> KRB5_KDB_DISALLOW_FORWARDABLE 0x00000002
> KRB5_KDB_DISALLOW_TGT_BASED 0x00000004
> KRB5_KDB_DISALLOW_RENEWABLE 0x00000008
> KRB5_KDB_DISALLOW_PROXIABLE 0x00000010
> KRB5_KDB_DISALLOW_DUP_SKEY 0x00000020
> KRB5_KDB_DISALLOW_ALL_TIX 0x00000040
> KRB5_KDB_REQUIRES_PRE_AUTH 0x00000080
> KRB5_KDB_REQUIRES_HW_AUTH 0x00000100
> KRB5_KDB_REQUIRES_PWCHANGE 0x00000200
>
> The default flag for IPA user is KRB5_KDB_REQUIRES_PRE_AUTH, so in order
> to properly set the flag you need to combine it with the flag you want
> that is KRB5_KDB_REQUIRES_HW_AUTH.
>
> So 0x0100 + 0x0080 = 0x0180
>
> In decimal 0x0180 becomes 384
>
> So you need to change the entry to set krbTicketFlags to 384
>
> Now, normally I would tell you to do that using the following command:
> ipa user-mod <username> --setattr=krbticketflags=384
>
> However, we do restrict even admin from touching that attribute, so you
> have 2 options:
>
> 1. change the default ACI to allow admin to edit that attribute.
> 2. do an ldapmodify operation instead using the Directory Manager
> credentials.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue