Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

Automatically Renewing All Ticket-Granting Tickets

For ease of administration, you can configure ticket renewal and warning messages about Ticket Granting Ticket (TGT) expiration. Administrators can set warnings for all users, and users can customize their own warnings. For more information, see the warn.conf(4) and ktkt_warnd(1M) man pages.

Note -  The ktkt_warn service is disabled by default. To enable the service on existing Kerberos clients, run the svcadm enable ktkt_warn command.
Example 4-8  Configuring TGT Expiration Messages for All Users

This example shows several ways to configure the renewal and message system for TGTs.

# pfedit /etc/krb5/warn.conf
## renew the TGT 30 minutes before expiration and send message to users terminal
mre@EXAMPLE.COM renew:log terminal 30m
## send a warning message to a specific email address 20 minutes before TGT expiration
mre@EXAMPLE.COM mail 20m
# renew the TGT 20 minutes before expiration and send an email message on failure
bricker@EXAMPLE.COM renew:log-failure mail 20m -
## catch-all: any principal not matched above will get an email warning
* mail 20m - 

After configuring the messages, run the kclient command on new clients.

client# /usr/sbin/kclient -p /net/

On existing clients, enable the service.

# svcadm enable network/security/ktkt_warn
Example 4-9  Configuring TGT Expiration Messages for a User

Each user can configure an individual warnd configuration file, which is named /var/user/$USER/krb-warn.conf. The existence of this file prevents the administrator file from being read.

% pfedit /var/user/mre/krb-warn.conf
mre@EXAMPLE.COM renew:log mail 25m &

The TGT is renewed 25 minutes before expiration, the renewal is logged, and the Kerberos user mre is sent mail at that time.