我遵循了所有推荐的 MIT kerberos 配置设置。我创建了一个主体,当我执行 kadmin.local getprinc 时,我看到以下内容
kadmin.local: getprinc [email protected]
Principal: [email protected]
Expiration date: [never]
Last password change: Sun Mar 13 07:55:56 UTC 2016
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 10 days 00:00:00
Last modified: Sun Mar 13 07:55:56 UTC 2016 (root/[email protected])
Last successful authentication: [never]
Last failed authentication: [never]
当我执行 akinit然后,我看到以下内容(这是错误的,因为我在响应中klist没有看到日期renew until mm:dd:yy
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]
Valid starting Expires Service principal
03/13/2016 07:56:21 03/14/2016 07:56:19 krbtgt/[email protected]
当提出续订请求时,我会在日志中看到此信息
TGS_REQ (1 etypes {23}) 10.0.0.10: TICKET NOT RENEWABLE: authtime 0, [email protected] for krbtgt/[email protected], KDC can't fulfill requested option
答案1
事实证明,服务主体的最大续订期限为 0 天。也许我在进行配置更改之前就创建了它。。!
所以这就是罪魁祸首krbtgt/[email protected]
当我像下面这样修改服务主体时,它起作用了..!
modprinc -maxlife 1days -maxrenewlife 7days +allow_renewable krbtgt/[email protected]