[Howto] enable renewable HEIMDAL Kerberos 5 tickets

posted in: computer | 0

Heimdal Kerberos Version 7.3.0


at first you have to check if your principal has renewable-tickets allowed:

#serverside login into kerberos-database
kadmin -l

#list attributes (the attribute-section of the output should not contain something like 'disallow-renewable')
kadmin> list -l <principal>

#if renewable tickets are disabled, you can enable it with
kadmin> modify -a -disallow-renewable <principal>

#logout from kerberos-database
kadmin> quit


second you have to edit your configuration krb5.conf on clientside and activate the request of renewable-tickets:

  ticket_lifetime = 1d
  renew_lifetime =  7d

ticket_lifetime is the period of time a ticket is valid, for example 1 day.

renew_lifetime is the period of time (counted from the Login-time) a renewing of the ticket is allowed, for example a renewing of the ticket is possible within the first 7 days after your login.

tip: the lifetime of the renewed ticket is the ticket-lifetime.


at last check if everything works fine:

#request clientside a new ticket
kinit <principal>

#check the new ticket (now you must see a ticket-flag called 'renewable')
klist -l <principal>