ticket lifetimes

Kevin Rowland krowland at nd.edu
Tue May 21 12:02:53 EDT 2002


I haven't checked to see if this is changed, but from some notes I took
when we ran into the same issue, we (re)hardcoded a really large default
tkt life in kinit.c. 

+
+    /* tkt_life gets hardcoded in get_in_tkt.c to (10*60*60) seconds.
+     * We would rather have the *default* follow the the max life set
+     * for the principal (assuming that the server principal will allow
that)
+     * So, set our lifetime option to something *huge*.
+     */
+    #define UND_DEFAULT_TKT_LIFE    "365d"
+

This was just a way to "force" the default behaviour to track the keys
involved, of which the minimum lifetime prevails (client, server, realm
max_life).

HTH!

-- kevin

/------------------------------------------------------------------\
| Kevin Rowland                   Office of Information Technology |
| Sr. Systems Engineer            University of Notre Dame         |
|                                                                  |
| pgpKeyID: 0x83C89CCE                                             |
| fingerprint: 7750 F81A BBD9 8487 18DC  5312 154E FCBA 83C8 9CCE  |
| http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x83C89CCE     |
\------------------------------------------------------------------/


Derek Yarnell wrote:
> 
> I can't seem to increase my ticket lifetimes.
> 
> I changed both my princ (derek at CS.UMD.EDU) and the tgt/CS.UMD.EDU
> to have max lifetimes of 48hours using kadmin
> 
> I haved added,
> 
>    max_life = 48h 0m 0s
>    max_renewable_life = 21d 0h 0m 0s
> 
> to my kdc.conf and restarted all the deamons on all the kdc's.
> 
> I have changed the kdc.conf to
> 
> [libdefaults]
>   ticket_lifetime = 2880
> 
> Even tried,
> 
>         kinit -l 48hours
> 
> And it doesn't work, what am I missing here..
> 
> I did try this, removed the default life from libdefaults in krb5.conf.
> I can get a two hour ticket if i do a kinit -l 48hours but if I just do
> a kinit i only get the 10 hour.
> 
> How can I make 48 hours default for everything..
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos

--



More information about the Kerberos mailing list