[30733] in Kerberos
Re: How do I change the ticket lifetime in the default policy?
daemon@ATHENA.MIT.EDU (Jason Edgecombe)
Tue Feb 17 20:44:55 2009
Message-ID: <499B67BC.4090905@rampaginggeek.com>
Date: Tue, 17 Feb 2009 20:43:24 -0500
From: Jason Edgecombe <jason@rampaginggeek.com>
MIME-Version: 1.0
To: Kevin Coffman <kwcoffman@gmail.com>
In-Reply-To: <4d569c330902171435j674380fib151052df0ad7c18@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Kevin Coffman wrote:
> On Tue, Feb 17, 2009 at 4:49 PM, Jason Edgecombe
> <jason@rampaginggeek.com> wrote:
>
>> Russ Allbery wrote:
>>
>>> Jason Edgecombe <jason@rampaginggeek.com> writes:
>>>
>>>
>>>
>>>> We are extending the ticket lifetime for all of the users in our realm
>>>> from 1 day to 7 days. We use MIT Kerberos in our realm. I know that
>>>> "modprinc -maxlife 7day user@REALM.COM" will extend the ticket lifetime
>>>> for an existing user, but how to I make it the default for new users?
>>>>
>>>>
>>> I believe the default for new users is taken from the max_life setting in
>>> kdc.conf.
>>>
>>>
>>>
>> hmm,
>>
>> my kdc.conf already has "max_life = 7d 0h 0m 0s" and the users don;t get
>> 7 day tickets by default. Am I missing something?
>>
>
> The ticket lifetime is the minimum of 4 values:
> 1) maxlife for the user principal
> 2) maxlife for the service [principal]
> 3) max_life in the kdc.conf
> 4) requested lifetime in the ticket request
>
> Sounds like you have changed 1) and 3). You'll also need to modify
> the maxlife for principal krbtgt/<REALM>@<REALM> to get TGTs with a
> longer lifetime. (You will have to alter other service principals if
> you want to issue service tickets with longer lifetimes for those
> services.)
>
> I believe there is a default (requested) lifetime in kinit as well, so
> you may need to specify a longer requested lifetime there ("kinit -l
> 7d").
>
I can already get a 7 day ticket length when I kinit because my
principal is set for 7 days lifetime. That works. I'm just wondering how
I can run "addprinc user -maxlife 7day" without having to specify
"-maxlife 7day" or modprinc user -maxlife 7day after the addprinc.
Thanks,
Jason
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
