[30737] in Kerberos
Re: How do I change the ticket lifetime in the default policy?
daemon@ATHENA.MIT.EDU (Kevin Coffman)
Wed Feb 18 11:15:00 2009
MIME-Version: 1.0
In-Reply-To: <499B30EF.4090407@rampaginggeek.com>
Date: Tue, 17 Feb 2009 17:35:37 -0500
Message-ID: <4d569c330902171435j674380fib151052df0ad7c18@mail.gmail.com>
From: Kevin Coffman <kwcoffman@gmail.com>
To: Jason Edgecombe <jason@rampaginggeek.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Tue, Feb 17, 2009 at 4:49 PM, Jason Edgecombe
<jason@rampaginggeek.com> wrote:
> Russ Allbery wrote:
>> Jason Edgecombe <jason@rampaginggeek.com> writes:
>>
>>
>>> We are extending the ticket lifetime for all of the users in our realm
>>> from 1 day to 7 days. We use MIT Kerberos in our realm. I know that
>>> "modprinc -maxlife 7day user@REALM.COM" will extend the ticket lifetime
>>> for an existing user, but how to I make it the default for new users?
>>>
>>
>> I believe the default for new users is taken from the max_life setting in
>> kdc.conf.
>>
>>
> hmm,
>
> my kdc.conf already has "max_life = 7d 0h 0m 0s" and the users don;t get
> 7 day tickets by default. Am I missing something?
The ticket lifetime is the minimum of 4 values:
1) maxlife for the user principal
2) maxlife for the service [principal]
3) max_life in the kdc.conf
4) requested lifetime in the ticket request
Sounds like you have changed 1) and 3). You'll also need to modify
the maxlife for principal krbtgt/<REALM>@<REALM> to get TGTs with a
longer lifetime. (You will have to alter other service principals if
you want to issue service tickets with longer lifetimes for those
services.)
I believe there is a default (requested) lifetime in kinit as well, so
you may need to specify a longer requested lifetime there ("kinit -l
7d").
K.C.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
