[30786] in Kerberos
Re: Long-running jobs with renewal of krb5 tickets and AFS tokens
daemon@ATHENA.MIT.EDU (Nicolas Williams)
Mon Mar 2 21:45:20 2009
Date: Mon, 2 Mar 2009 20:34:49 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: Jason Edgecombe <jason@rampaginggeek.com>
Message-ID: <20090303023449.GM9992@Sun.COM>
Mime-Version: 1.0
Content-Disposition: inline
In-Reply-To: <49AC8FD3.8000701@rampaginggeek.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, Mar 02, 2009 at 09:02:59PM -0500, Jason Edgecombe wrote:
> Nicolas Williams wrote:
> >I have seen sites use on the order of months for the renewable ticket
> >lifetime, but still hours for normal ticket lifetime. If you already
> >use seven days for renew life you might as well double it -- whatever
> >your threat model is, if you can accept seven days then chances are you
> >can accept fourteen.
> >
> Doubling it wouldn't really help. It would probably need to be on the
> order of a month. If I were to change the renewable lifetime, I need to
> change all principals, the client krb5.conf and the server kdc.conf. Is
> that correct?
Hmmm, not sure. The client ought to ask for infinity, but I don't think
that's the default, sadly. The kdc.conf parameters in question are best
not used -- you can use kadmin policies instead. Also, IIRC the TGS
principal's renew life puts a bound on all, IIRC, so generally you might
want to set principals' renewable ticket life to be very long, and use
the TGS principal as a big hammer.
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
