[30454] in Kerberos
Re: Parameters in =?iso-8859-1?Q?=AB?= Strategy Kerberos
daemon@ATHENA.MIT.EDU (Tom Yu)
Fri Nov 14 14:36:53 2008
To: jivko <jivko.mitev@free.fr>
From: Tom Yu <tlyu@mit.edu>
Date: Fri, 14 Nov 2008 14:35:59 -0500
In-Reply-To: <ddb4ec4e-998b-403d-a4b2-bc1a1922d06d@26g2000hsk.googlegroups.com>
(jivko.mitev@free.fr's message of "Thu,
30 Oct 2008 05:44:08 -0700 (PDT)")
Message-ID: <ldvy6zm5cdc.fsf@cathode-dark-space.mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
jivko <jivko.mitev@free.fr> writes:
> Title: Parameters in « Strategy Kerberos » not taken into account.>> Environment: Domain controller « Windows 2000 Server SP4 », client «> Windows XP SP2»> Particularities of the environment:> The server is the only controller AD in its VLAN. It was added in the> production domain, replicated, after detached and plugged into a> closed VLAN with suppression of the missing references.> The server is in the mode AD2000 native, but the domain was not> created from scratch, it was migrated from NT.> The VLAN contains the only post XP, member of the domain.>> At the beginning the domain was under NT, it contained a certain> number of hosts NT (1PDC, and several BDC).> The domain was migrated to Windows 2000 like that:> migration of PDC NT to 2000, 2000 is so in the mixed mode, which means> that the server 2000 emulates a PDC NT> replacement of all the controllers NT by the controllers 2000,> installed from scratch> at the end, when there were no controllers NT into the domain,> reinstallation from scratch to 2000 of the ex-PDC from NT> when there is only machines 2000 installed from scratch, passing of> the AD on the mode 2000 « native »>> So, the controllers are 100% 2000, but the structure AD comes from the> old domain NT.>>> Description:> We want to modify the max lifetime of the tickets tgt Kerberos. To do> this :> 1) we modified the value of of the tgt max lifetime to 600 in «> Stratégie de sécurité du domaine / …/ Strategie Kerberos»
Because it is likely that most of the readers of this newsgroup / listprimarily speak English, you may get more useful responses if youcould quote the names of the settings that you mention above from anEnglish localization rather than from the French localization.
> On the client post we do :> 2) klist purge> 3) access to the shared folder> 4) klist tgt> ===========> C:\Program Files\Resource Kit>klist tgt>> Cached TGT:>> ServiceName: krbtgt> TargetName: krbtgt> FullServiceName: GOVARTAN> DomainName: AESN.FR♠> TargetDomainName: AESN.FR♠> AltTargetDomainName: AESN.FR♠> TicketFlags: 0x40e00000> KeyExpirationTime: 1/1/1601 2:00:00> StartTime: 10/16/2008 18:04:54> EndTime: 10/17/2008 2:04:54> RenewUntil: 10/16/2008 19:04:54> TimeSkew: 1/1/1601 2:00:00> ==========>> The problem: The tgt max lifetime is 8h.> After reboot of the server: the same result.> The same modifications are taken into account on the host installed> with Windows 2000 from scratch.>> Questions :> 1) As the ticket max lifetime by default is 10h from where commes the> duration 8h ?
I am not familiar with how AD configures its ticket lifetimes, but ifit is similar to how MIT krb5 determines ticket lifetime, it probablyuses the smallest lifetime value out the set containing the clientprincipal ticket lifetime, the service principal ticket lifetime andthe requested lifetime.
> 2) How to modify (force) the tgt max lifetime in our platform> configuration?
Again, I am not very familiar with AD administration, but there may beindividual lifetime restrictions one each client principal, or moreglobal settings, that could affect ticket lifetime in the way youwish.
________________________________________________Kerberos mailing list Kerberos@mit.eduhttps://mailman.mit.edu/mailman/listinfo/kerberos
