ticket lifetimes
Derek T. Yarnell
derek at cs.umd.edu
Tue May 21 11:58:14 EDT 2002
here is my kdc.conf
[kdcdefaults]
kdc_ports = 88,750
[realms]
CS.UMD.EDU = {
max_life = 48h 0m 0s
max_renewable_life = 21d 0h 0m 0s
acl_file = /var/krb5kdc/kadm5.acl
dict_file = /usr/share/lib/dict/words
admin_keytab = /var/krb5kdc/kadm5.keytab
key_stash_file = /var/krb5kdc/.k5.CS.UMD.EDU
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc:normal des3-cbc-raw:normal des3-cbc-sha1:normal des-cbc-crc:v4 des-cbc-crc:afs3
}
my krb5.conf is
[logging]
default = FILE:/var/adm/krb5libs.log
kdc = FILE:/var/adm/krb5kdc.log
admin_server = FILE:/var/adm/kadmind.log
[libdefaults]
default_realm = CS.UMD.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = des-cbc-crc des3-hmac-sha1
default_tgs_enctypes = des-cbc-crc des3-hmac-sha1
[realms]
CS.UMD.EDU = {
kdc = tomax.cs.umd.edu:88
kdc = xamot.cs.umd.edu:88
admin_server = tomax.cs.umd.edu:749
default_domain = cs.umd.edu
}
UMIACS.UMD.EDU = {
kdc = phobos.umiacs.umd.edu:88
kdc = deimos.umiacs.umd.edu:88
admin_server = phobos.umiacs.umd.edu
}
[domain_realm]
.cs.umd.edu = CS.UMD.EDU
cs.umd.edu = CS.UMD.EDU
.umiacs.umd.edu = UMIACS.UMD.EDU
umiacs.umd.edu = UMIACS.UMD.EDU
.cfar.umd.edu = CFAR.UMD.EDU
cfar.umd.edu = CFAR.UMD.EDU
[kdc]
profile = /var/krb5kdc/kdc.conf
[pam]
debug = true
forwardable = true
krb4_convert = false
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
On Tue, May 21, 2002 at 11:52:52AM -0400, Nicolas.Williams at ubsw.com wrote:
>
> You're probably not setting the kdc.conf parameters correctly. Remember, kdc.conf lives in the directory where the KDB lives.
>
> Ticket lifetimes are bounded by the kdc.conf settings, plus the client's krb5.conf settings, plus the principal records' settings.
>
> Nico
> --
>
> > -----Original Message-----
> > From: Derek Yarnell [mailto:derek at cs.umd.edu]
> > Sent: Tuesday, May 21, 2002 11:30 AM
> > To: kerberos at mit.edu
> > Subject: Re: ticket lifetimes
> >
> >
> > Turbo Fredriksson wrote:
> > >>>>>>"Derek" == Derek Yarnell <derek at cs.umd.edu> writes:
> > >>>>>
> > >
> > > Derek> I can't seem to increase my ticket lifetimes. I changed
> > > Derek> both my princ (derek at CS.UMD.EDU) and the
> > tgt/CS.UMD.EDU to
> > > Derek> have max lifetimes of 48hours using kadmin
> > >
> > > Change your service keys as well (host/FQDN at REALM etc).
> >
> > I changed the service keys (you mean krbtgt/CS.UMD.EDU and what?) as
> > well as all the hosts (host/FQDN) to have max life of 48
> > hours (2 days)
> > yet still ...
> >
> > argh..
> >
> >
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
> Visit our website at http://www.ubswarburg.com
>
> This message contains confidential information and is intended only
> for the individual named. If you are not the named addressee you
> should not disseminate, distribute or copy this e-mail. Please
> notify the sender immediately by e-mail if you have received this
> e-mail by mistake and delete this e-mail from your system.
>
> E-mail transmission cannot be guaranteed to be secure or error-free
> as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses. The sender therefore
> does not accept liability for any errors or omissions in the contents
> of this message which arise as a result of e-mail transmission. If
> verification is required please request a hard-copy version. This
> message is provided for informational purposes and should not be
> construed as a solicitation or offer to buy or sell any securities or
> related financial instruments.
>
--
---
Derek T. Yarnell
University of Maryland
Computer Science Department Unix Staff
derek at cs.umd.edu
More information about the Kerberos
mailing list