[30785] in Kerberos
Re: Long-running jobs with renewal of krb5 tickets and AFS tokens
daemon@ATHENA.MIT.EDU (Jason Edgecombe)
Mon Mar 2 21:03:58 2009
Message-ID: <49AC8FD3.8000701@rampaginggeek.com>
Date: Mon, 02 Mar 2009 21:02:59 -0500
From: Jason Edgecombe <jason@rampaginggeek.com>
MIME-Version: 1.0
To: Nicolas Williams <Nicolas.Williams@sun.com>
In-Reply-To: <20090302185458.GC9992@Sun.COM>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Nicolas Williams wrote:
> On Sat, Feb 28, 2009 at 11:40:26PM -0500, Jason Edgecombe wrote:
>
>> I guess setting things for renewable tickets longer than 7 days or
>> running the jobs in local disk will be easiest.
>>
>> We have a 7 day normal/renewable lifetime. What length do other sites have?
>>
>
> I have seen sites use on the order of months for the renewable ticket
> lifetime, but still hours for normal ticket lifetime. If you already
> use seven days for renew life you might as well double it -- whatever
> your threat model is, if you can accept seven days then chances are you
> can accept fourteen.
>
Doubling it wouldn't really help. It would probably need to be on the
order of a month. If I were to change the renewable lifetime, I need to
change all principals, the client krb5.conf and the server kdc.conf. Is
that correct?
Thanks,
Jason
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
