<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 09/10/2013 01:19 AM, Mahmoud wrote:
<blockquote
cite="mid:CAOq9=r3yMw9N0rZ5Ne_G05ehAoJvQkAsyz-CP0fmreF9fF+DwQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>Hello,<br>
<br>
</div>
<div>Thank you for your response.<br>
</div>
When a user get tgt ticket, he can get service tickets without
typing password. I like to have several level of users. As
high level users have more access to resources, I want to
grant a ticket with less validation time. In other word, I
want to have several ticket life time due to user levels.<br>
</div>
</div>
</blockquote>
<br>
If you use IPA then you can use default policy to set the default
value.<br>
The attribute you care is: krbMaxTicketLife<br>
You can use the realm entry to set the default policy for the
majority of principals<br>
<pre> dn: cn=EXAMPLE.COM,cn=kerberos,dc=gsslab,dc=rdu,dc=redhat,dc=com
cn: EXAMPLE.COM
objectClass: top
objectClass: krbrealmcontainer
objectClass: krbticketpolicyaux
krbSubTrees: dc=gsslab,dc=rdu,dc=redhat,dc=com
krbSearchScope: 2
krbSupportedEncSaltTypes: aes256-cts:normal
krbSupportedEncSaltTypes: aes128-cts:normal
krbSupportedEncSaltTypes: des3-hmac-sha1:normal
krbSupportedEncSaltTypes: arcfour-hmac:normal
krbSupportedEncSaltTypes: des-hmac-sha1:normal
krbSupportedEncSaltTypes: des-cbc-md5:normal
krbSupportedEncSaltTypes: des-cbc-crc:normal
krbSupportedEncSaltTypes: des-cbc-crc:v4
krbSupportedEncSaltTypes: des-cbc-crc:afs3
krbDefaultEncSaltTypes: aes256-cts:normal
krbDefaultEncSaltTypes: aes128-cts:normal
krbDefaultEncSaltTypes: des3-hmac-sha1:normal
krbDefaultEncSaltTypes: arcfour-hmac:normal
krbDefaultEncSaltTypes: des-hmac-sha1:normal
krbDefaultEncSaltTypes: des-cbc-md5:normal
krbMKey:: GFFFYTUYFUYFHJJJHGJGJHGJHGJ
Set krbMaxTicketLife to value in seconds.
Then on per principal you can set it to a specific value you need based on the type of the user.
There is no need to recompile any code.
You can also look at the password policies feature in IPA. We added ability to define a policy per group. If you want to manage krbMaxTicketLife per group you might do a similar thing.
Let me know if you are interested in contributing this feature to IPA.
Thanks
Dmitri
</pre>
<blockquote
cite="mid:CAOq9=r3yMw9N0rZ5Ne_G05ehAoJvQkAsyz-CP0fmreF9fF+DwQ@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Sep 10, 2013 at 5:24 AM, Dmitri
Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class="im"> On 09/09/2013 12:49 PM, Mahmoud wrote:
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>Hello Mr. <span name="Dmitri Pal">Dmitri
Pal<br>
<br>
</span></div>
<span name="Dmitri Pal">Thank you very much for
your help.<br>
<br>
</span></div>
<div><span name="Dmitri Pal">I tried to change
source code to have more option. It was
difficult for me to understand FreeIPA source
code. Hence, I decided to change Kerberos
source code. I want to add more features to
Kerberos. For example, I like to have two (or
several) types of ticket expiration.<br>
</span></div>
</div>
</div>
</blockquote>
<br>
</div>
What do you mean by several types of ticket expiration?<br>
Can you please give an example?
<div>
<div class="h5"><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div><span name="Dmitri Pal"> </span></div>
<span name="Dmitri Pal"><br>
Thanks<br>
</span></div>
<span name="Dmitri Pal">Best regards<br>
</span></div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Sep 9, 2013 at
8:13 PM, Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 09/09/2013 10:55 AM, Mahmoud wrote:
<blockquote type="cite">
<div dir="ltr">
<div>
<div>Hello,<br>
<br>
</div>
Thank you very much for your time
and attention.<br>
<br>
</div>
I changed client side code (kinit.c)
but it requires to change all clients.
Now, I decided to change server side
code.<br>
</div>
</blockquote>
<br>
</div>
It seems that you should try to contribute
code upstream if you want to end up with any
kind of support of your enhancements,
otherwise you would have to maintain your
own version.
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div class="gmail_extra">I
thought it may be better
choice. Should I change
policy.c file to change
ticket policies? </div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
What policies do you want to change and why?
You might have described your intent on some
other thread in some other list but not
here.
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div class="gmail_extra">It
does not require recompiling
krb5kdc?<br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
I suspect it does...
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>
<div class="gmail_extra">I
install FreeIPA on Fedora
18, When I execute klist -V
command, hence get following
result:<br>
Kerberos 5 version 1.10.3 <br>
</div>
<div class="gmail_extra"><br>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
Fedora 19 has 1.11<br>
<br>
IMO the best would be to have a details
explanation of what you are trying to
accomplish.<br>
This way we would be able to help you with
the right approach.<br>
But it seems that building custom code might
not be best option.<br>
<br>
Thanks<br>
Dmitri<br>
<br>
<br>
<blockquote type="cite">
<div>
<div dir="ltr">
<div>
<div>
<div>
<div>
<div class="gmail_extra">Best
regards.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On
Mon, Sep 9, 2013 at 6:00
PM, Simo Sorce <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:simo@redhat.com" target="_blank">simo@redhat.com</a>></span>
wrote:<br>
<blockquote
class="gmail_quote"
style="margin:0px 0px
0px
0.8ex;border-left:1px
solid
rgb(204,204,204);padding-left:1ex">
<div>On Mon, 2013-09-09
at 08:07 +0430,
Mahmoud wrote:<br>
> Hello Simo<br>
><br>
><br>
> The previous
problem occurred due
to installing
krb5-1.11.3. I install<br>
> krb5-1.10.6 and
copy ipadb.so in
appropriate directory,
hence the<br>
> problem has been
solved. Is it all
right?<br>
<br>
<br>
</div>
No it is not, we require
1.11.3 for OTP support
in the latest FreeIPA.<br>
<br>
Seriously, chaingin the
KDC is the last thing
you want to do to solve<br>
your problem.<br>
<br>
Have you looked into
creating custom ticket
policies for your users
?<br>
<br>
Why do you need to
change the KDC to do
that ?<br>
<span><font
color="#888888"><br>
Simo.<br>
</font></span>
<div>><br>
> Thank you.<br>
><br>
> Best regards.<br>
><br>
><br>
><br>
> On Mon, Sep 9,
2013 at 7:47 AM, Luke
Howard <<a
moz-do-not-send="true"
href="mailto:lukeh@padl.com" target="_blank">lukeh@padl.com</a>>
wrote:<br>
><br>
> On
09/09/2013, at 1:08
PM, Mahmoud <<a
moz-do-not-send="true"
href="mailto:gh.mdgh@gmail.com" target="_blank">gh.mdgh@gmail.com</a>>
wrote:<br>
><br>
> > I
thought FreeIpa uses
krb5-1.10.3, but I use
klist -V get<br>
> following
result:<br>
> >
Kerberos 5 version
1.10.3<br>
><br>
><br>
> Aren't
these the same thing?<br>
><br>
> -- Luke<br>
><br>
><br>
<br>
<br>
</div>
<div>
<div>--<br>
Simo Sorce * Red
Hat, Inc * New York<br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
<pre>_______________________________________________
Freeipa-devel mailing list
<a moz-do-not-send="true" href="mailto:Freeipa-devel@redhat.com" target="_blank">Freeipa-devel@redhat.com</a>
<a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-devel" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a></pre>
</blockquote>
<div> <br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
<br>
_______________________________________________<br>
Freeipa-devel mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-devel@redhat.com"
target="_blank">Freeipa-devel@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-devel"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-devel</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>