0

I am using Python to connect to a SQL server database using pypyodbc and Microsoft ODBC provide for SQl server driver. It was looking for Kerberos ticket which I created by using following command:

$kinit sinXXXX4@CORP.XXXXX.NET

But it gets expired everyday, how can I make it not to expire?

[sinXXXX4@uXXXXXXXd102 HealthCheck]$ klist
Ticket cache: FILE:/tmp/krb5cc_134202
Default principal: sinXXXX4@CORP.XXXXX.NET

Valid starting       Expires              Service principal
03/09/2018 10:09:46  03/09/2018 20:09:46  
krbtgt/CORP.XXXXXX.NET@CORP.XXXXXX.NET
    renew until 03/10/2018 10:09:40
SSingh
  • 199
  • 2
  • 11
  • 1
    Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. – jww Mar 09 '18 at 17:09
  • 2
    Either request a longer lifetime with `kinit -l` or look at the `k5start` tool. – match Mar 09 '18 at 17:39
  • 1
    From a security standpoint, non-expiring (or even long-lived) tickets are a Bad Idea™. You can, however, renew an existing non-expired ticket using `kinit -R`. In your case, it looks like that buys you some extra time before having to re-authenticate. – Ben Thul Mar 09 '18 at 17:40
  • Did you check this similar question: https://stackoverflow.com/questions/40917698/hbase-with-kerberos-keep-a-htable-instance-open-more-than-10-hours? Or this one: https://stackoverflow.com/questions/41453395/how-to-renew-expiring-kerberos-ticket-in-hbase? – T-Heron Mar 10 '18 at 02:10

1 Answers1

0

Lifetime of the kerberos ticket depends on the ticket lifetime value set in /etc/krb5.conf of KDC server. The default value of this parameter is 24hours because of which your ticket is getting expired everyday. You can change the value of ticket_lifetime in /etc/krb5.conf of KDC server and restart the kadmin service and krb5kdc service so that changes become effective.

Aman Khare
  • 161
  • 1
  • 5
  • `/sbin/service krb5kdc stop`, `/sbin/service kadmin stop`, `/sbin/service krb524 stop` to stop the service. `/sbin/service krb5kdc start`, `/sbin/service kadmin start`, `/sbin/service krb524 start` to start the service. Source: https://www.techwalla.com/articles/how-to-restart-kerberos-in-linux – Nitin Sep 11 '18 at 17:22
  • 1
    @Nitin: these are the commands which will help in restarting the kdc related services once the changes are made in the /etc/krb5.conf present at KDC server for changing ticket lifetime. Though I think restart of /sbin/service krb524 is not required. Only restarting service krb5kdc and kadmin will do the job. – Aman Khare Dec 03 '18 at 09:23