Heimdal Kerberos Version 7.3.0
at first you have to check if your principal has renewable-tickets allowed:
#serverside login into kerberos-database kadmin -l #list attributes (the attribute-section of the output should not contain something like 'disallow-renewable') kadmin> list -l <principal> #if renewable tickets are disabled, you can enable it with kadmin> modify -a -disallow-renewable <principal> #logout from kerberos-database kadmin> quit
second you have to edit your configuration krb5.conf on clientside and activate the request of renewable-tickets:
#/etc/krb5.conf [libdefaults] ticket_lifetime = 1d renew_lifetime = 7d
ticket_lifetime is the period of time a ticket is valid, for example 1 day.
renew_lifetime is the period of time (counted from the Login-time) a renewing of the ticket is allowed, for example a renewing of the ticket is possible within the first 7 days after your login.
tip: the lifetime of the renewed ticket is the ticket-lifetime.
at last check if everything works fine:
#request clientside a new ticket kinit <principal> #check the new ticket (now you must see a ticket-flag called 'renewable') klist -l <principal>