[37604] in Kerberos
Re: max_life problem
daemon@ATHENA.MIT.EDU (=?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGA)
Fri Aug 5 07:42:43 2016
MIME-Version: 1.0
In-Reply-To: <alpine.GSO.1.10.1608021553160.5272@multics.mit.edu>
From: =?UTF-8?B?0JDQu9C10LrRgdCw0L3QtNGAINCR0LDRgNCw0L3QuNC9?=
<avbaranin@gmail.com>
Date: Thu, 4 Aug 2016 13:39:51 +0300
Message-ID: <CACjhFAnhQpqvPh_fbnropRe9NQnx3hVUysW6sVMOOSnaYtrZtA@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Yes, you are right.
But In my case I used compilation from source code.
But at the moment of realm creation the limit 10h was in my kdc.conf. So
this limit was copied to principal krbtgt.
2016-08-02 22:56 GMT+03:00 Benjamin Kaduk <kaduk@mit.edu>:
> On Mon, 1 Aug 2016, Greg Hudson wrote:
>
> > On 08/01/2016 04:29 AM, Александр Баранин wrote:
> > > I use mit kerberos, version krb5-1.14.2, compiled from source.
> > > And I can't to force kdc to issue tickets for more than 10 hours.
> >
> > In addition to the realm setting, the client and server entries in the
> > KDC database can also have a max_life value. Using "getprinc" in
> > kadmin, look at the "Maximum ticket life" on the user principal and on
> > krbtgt/ALFA.IT. Are either of them ten hours? If so, you can change
> > them with "modprinc -maxlife".
>
> (It looks like this is on a Debian system, so I'll note that the debian
> krb5-kdc package will create a kdc.conf that has max_life 10 hours on
> first installation. So, principals created when such a kdc.conf was in
> place would be affected by it.)
>
> -Ben
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
