Ticket lifetimes > 10 hrs?
Tom Yu
tlyu at MIT.EDU
Thu Nov 14 01:51:25 EST 2002
>>>>> "nemesis" == RCU <nemesis at icequake.no_spam.net> writes:
>> - - Check the configuration of the kdc. It may be set up to only
>> allow a maximum ticket lifetime of ten hours.
>>
nemesis> - kdc.conf on the KDC
nemesis> max_life = 7d 0h 0m 0s
nemesis> max_renewable_life = 7d 0h 0m 0s
nemesis> are those the correct stanzas?
What are the *exact* contents of your kdc.conf? What where the
contents of kdc.conf when you set up your database and when you
created the principals involved in the transactions you care about?
You should keep in mind that each principal in the database has its
own max lifetime and max renewable lifetime. The actual logic for
max_life when issuing tickets uses the least of service max_life,
client max_life, and realm max_life. I believe creating principals
sets the principal's lifetimes to use the realm defaults. Arguably
this is a bug, since it makes globally increasing the lifetimes
difficult -- effectively you must increase the lifetimes of each
principal in addition to altering the realm configuration.
---Tom
More information about the Kerberos
mailing list