ticket lifetimes

Nicolas.Williams@ubsw.com Nicolas.Williams at ubsw.com
Tue May 21 12:08:32 EDT 2002


Actually, looking through the source (src/lib/krb5/krb/get_in_tkt.c and gic_*.c I see that the default client request for ticket lifetime is 10 hours and there is no way to set that in krb5.conf (ok, I haven't looked at the latest release).

So, wrt ticket lifetime you're stuck with 10 hours - or you can change the source.

But you can set the renewable lifetime (and you have to set that in krb5.conf as well as kdc.conf and the principals' records).

Nico
--  

> -----Original Message-----
> From: Derek T. Yarnell [mailto:derek at cs.umd.edu]
> Sent: Tuesday, May 21, 2002 11:58 AM
> To: Williams, Nicolas
> Cc: derek at cs.umd.edu; kerberos at mit.edu
> Subject: Re: ticket lifetimes
> 
> 
> here is my kdc.conf
> 
> [kdcdefaults]
>   kdc_ports = 88,750
> [realms]
>  CS.UMD.EDU = {
>   max_life = 48h 0m 0s
>   max_renewable_life = 21d 0h 0m 0s
>   acl_file = /var/krb5kdc/kadm5.acl
>   dict_file = /usr/share/lib/dict/words
>   admin_keytab = /var/krb5kdc/kadm5.keytab
>   key_stash_file = /var/krb5kdc/.k5.CS.UMD.EDU
>   master_key_type = des-cbc-crc
>   supported_enctypes = des-cbc-crc:normal des3-cbc-raw:normal 
> des3-cbc-sha1:normal des-cbc-crc:v4 des-cbc-crc:afs3
>  }
> 
> my krb5.conf is 
> 
> [logging]
>  default = FILE:/var/adm/krb5libs.log
>  kdc = FILE:/var/adm/krb5kdc.log
>  admin_server = FILE:/var/adm/kadmind.log
> 
> [libdefaults]
>  default_realm = CS.UMD.EDU
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>  default_tkt_enctypes = des-cbc-crc des3-hmac-sha1
>  default_tgs_enctypes = des-cbc-crc des3-hmac-sha1
> 
> [realms]
>  CS.UMD.EDU = {
>   kdc = tomax.cs.umd.edu:88
>   kdc = xamot.cs.umd.edu:88
>   admin_server = tomax.cs.umd.edu:749
>   default_domain = cs.umd.edu
>  }
> 
>  UMIACS.UMD.EDU = {
>   kdc = phobos.umiacs.umd.edu:88
>   kdc = deimos.umiacs.umd.edu:88
>   admin_server = phobos.umiacs.umd.edu
> }  
> 
> 
> [domain_realm]
>  .cs.umd.edu = CS.UMD.EDU
>  cs.umd.edu = CS.UMD.EDU
>  .umiacs.umd.edu = UMIACS.UMD.EDU
>  umiacs.umd.edu = UMIACS.UMD.EDU
>  .cfar.umd.edu = CFAR.UMD.EDU
>  cfar.umd.edu = CFAR.UMD.EDU
> 
> [kdc]
>  profile = /var/krb5kdc/kdc.conf
> 
> [pam]
>  debug = true
>  forwardable = true
>  krb4_convert = false
> 
> [appdefaults]
>         kinit = {
>                 renewable = true
>                 forwardable= true
>         }
> 
> 
> 
> On Tue, May 21, 2002 at 11:52:52AM -0400, 
> Nicolas.Williams at ubsw.com wrote:
> > 
> > You're probably not setting the kdc.conf parameters 
> correctly. Remember, kdc.conf lives in the directory where 
> the KDB lives.
> > 
> > Ticket lifetimes are bounded by the kdc.conf settings, plus 
> the client's krb5.conf settings, plus the principal records' settings.
> > 
> > Nico
> > --  
> > 
> > > -----Original Message-----
> > > From: Derek Yarnell [mailto:derek at cs.umd.edu]
> > > Sent: Tuesday, May 21, 2002 11:30 AM
> > > To: kerberos at mit.edu
> > > Subject: Re: ticket lifetimes
> > > 
> > > 
> > > Turbo Fredriksson wrote:
> > > >>>>>>"Derek" == Derek Yarnell <derek at cs.umd.edu> writes:
> > > >>>>>
> > > > 
> > > >     Derek> I can't seem to increase my ticket 
> lifetimes.  I changed
> > > >     Derek> both my princ (derek at CS.UMD.EDU) and the 
> > > tgt/CS.UMD.EDU to
> > > >     Derek> have max lifetimes of 48hours using kadmin
> > > > 
> > > > Change your service keys as well (host/FQDN at REALM etc).
> > > 
> > > I changed the service keys (you mean krbtgt/CS.UMD.EDU 
> and what?) as 
> > > well as all the hosts (host/FQDN) to have max life of 48 
> > > hours (2 days)
> > > yet still ...
> > > 
> > > argh..
> > > 
> > > 
> > > ________________________________________________
> > > Kerberos mailing list           Kerberos at mit.edu
> > > http://mailman.mit.edu/mailman/listinfo/kerberos
> > > 
> > 
> > Visit our website at http://www.ubswarburg.com
> > 
> > This message contains confidential information and is intended only 
> > for the individual named.  If you are not the named addressee you 
> > should not disseminate, distribute or copy this e-mail.  Please 
> > notify the sender immediately by e-mail if you have received this 
> > e-mail by mistake and delete this e-mail from your system.
> > 
> > E-mail transmission cannot be guaranteed to be secure or error-free 
> > as information could be intercepted, corrupted, lost, destroyed, 
> > arrive late or incomplete, or contain viruses.  The sender 
> therefore 
> > does not accept liability for any errors or omissions in 
> the contents 
> > of this message which arise as a result of e-mail transmission.  If 
> > verification is required please request a hard-copy version.  This 
> > message is provided for informational purposes and should not be 
> > construed as a solicitation or offer to buy or sell any 
> securities or 
> > related financial instruments.
> > 
> 
> -- 
> ---
> Derek T. Yarnell
> University of Maryland
> Computer Science Department Unix Staff
> derek at cs.umd.edu
> 

Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only 
for the individual named.  If you are not the named addressee you 
should not disseminate, distribute or copy this e-mail.  Please 
notify the sender immediately by e-mail if you have received this 
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, 
arrive late or incomplete, or contain viruses.  The sender therefore 
does not accept liability for any errors or omissions in the contents 
of this message which arise as a result of e-mail transmission.  If 
verification is required please request a hard-copy version.  This 
message is provided for informational purposes and should not be 
construed as a solicitation or offer to buy or sell any securities or 
related financial instruments.




More information about the Kerberos mailing list