ticket lifetimes
Nicolas.Williams@ubsw.com
Nicolas.Williams at ubsw.com
Tue May 21 12:34:19 EDT 2002
Actually, clients' requested ticket lifetimes depend on other factors.
The get_int_tkt_with*() APIs set the requested ticket lifetime as per its creds argument.
The get_init_creds*() APIs default the requested lifetime to 10 hours, but this can be set by the caller separately.
Non-initial tickets' lifetimes are bounded by the TGTs used to get them.
There's code in init_ctx.c that has been ifdef'ed out for setting the default client max ticket life in krb5.conf...
Nico
--
> -----Original Message-----
> From: Williams, Nicolas
> Sent: Tuesday, May 21, 2002 12:09 PM
> To: 'Derek T. Yarnell'
> Cc: kerberos at mit.edu
> Subject: RE: ticket lifetimes
>
>
>
> Actually, looking through the source
> (src/lib/krb5/krb/get_in_tkt.c and gic_*.c I see that the
> default client request for ticket lifetime is 10 hours and
> there is no way to set that in krb5.conf (ok, I haven't
> looked at the latest release).
>
> So, wrt ticket lifetime you're stuck with 10 hours - or you
> can change the source.
>
> But you can set the renewable lifetime (and you have to set
> that in krb5.conf as well as kdc.conf and the principals' records).
>
> Nico
> --
>
> > -----Original Message-----
> > From: Derek T. Yarnell [mailto:derek at cs.umd.edu]
> > Sent: Tuesday, May 21, 2002 11:58 AM
> > To: Williams, Nicolas
> > Cc: derek at cs.umd.edu; kerberos at mit.edu
> > Subject: Re: ticket lifetimes
> >
> >
> > here is my kdc.conf
> >
> > [kdcdefaults]
> > kdc_ports = 88,750
> > [realms]
> > CS.UMD.EDU = {
> > max_life = 48h 0m 0s
> > max_renewable_life = 21d 0h 0m 0s
> > acl_file = /var/krb5kdc/kadm5.acl
> > dict_file = /usr/share/lib/dict/words
> > admin_keytab = /var/krb5kdc/kadm5.keytab
> > key_stash_file = /var/krb5kdc/.k5.CS.UMD.EDU
> > master_key_type = des-cbc-crc
> > supported_enctypes = des-cbc-crc:normal des3-cbc-raw:normal
> > des3-cbc-sha1:normal des-cbc-crc:v4 des-cbc-crc:afs3
> > }
> >
> > my krb5.conf is
> >
> > [logging]
> > default = FILE:/var/adm/krb5libs.log
> > kdc = FILE:/var/adm/krb5kdc.log
> > admin_server = FILE:/var/adm/kadmind.log
> >
> > [libdefaults]
> > default_realm = CS.UMD.EDU
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> > default_tkt_enctypes = des-cbc-crc des3-hmac-sha1
> > default_tgs_enctypes = des-cbc-crc des3-hmac-sha1
> >
> > [realms]
> > CS.UMD.EDU = {
> > kdc = tomax.cs.umd.edu:88
> > kdc = xamot.cs.umd.edu:88
> > admin_server = tomax.cs.umd.edu:749
> > default_domain = cs.umd.edu
> > }
> >
> > UMIACS.UMD.EDU = {
> > kdc = phobos.umiacs.umd.edu:88
> > kdc = deimos.umiacs.umd.edu:88
> > admin_server = phobos.umiacs.umd.edu
> > }
> >
> >
> > [domain_realm]
> > .cs.umd.edu = CS.UMD.EDU
> > cs.umd.edu = CS.UMD.EDU
> > .umiacs.umd.edu = UMIACS.UMD.EDU
> > umiacs.umd.edu = UMIACS.UMD.EDU
> > .cfar.umd.edu = CFAR.UMD.EDU
> > cfar.umd.edu = CFAR.UMD.EDU
> >
> > [kdc]
> > profile = /var/krb5kdc/kdc.conf
> >
> > [pam]
> > debug = true
> > forwardable = true
> > krb4_convert = false
> >
> > [appdefaults]
> > kinit = {
> > renewable = true
> > forwardable= true
> > }
> >
> >
> >
> > On Tue, May 21, 2002 at 11:52:52AM -0400,
> > Nicolas.Williams at ubsw.com wrote:
> > >
> > > You're probably not setting the kdc.conf parameters
> > correctly. Remember, kdc.conf lives in the directory where
> > the KDB lives.
> > >
> > > Ticket lifetimes are bounded by the kdc.conf settings, plus
> > the client's krb5.conf settings, plus the principal
> records' settings.
> > >
> > > Nico
> > > --
> > >
> > > > -----Original Message-----
> > > > From: Derek Yarnell [mailto:derek at cs.umd.edu]
> > > > Sent: Tuesday, May 21, 2002 11:30 AM
> > > > To: kerberos at mit.edu
> > > > Subject: Re: ticket lifetimes
> > > >
> > > >
> > > > Turbo Fredriksson wrote:
> > > > >>>>>>"Derek" == Derek Yarnell <derek at cs.umd.edu> writes:
> > > > >>>>>
> > > > >
> > > > > Derek> I can't seem to increase my ticket
> > lifetimes. I changed
> > > > > Derek> both my princ (derek at CS.UMD.EDU) and the
> > > > tgt/CS.UMD.EDU to
> > > > > Derek> have max lifetimes of 48hours using kadmin
> > > > >
> > > > > Change your service keys as well (host/FQDN at REALM etc).
> > > >
> > > > I changed the service keys (you mean krbtgt/CS.UMD.EDU
> > and what?) as
> > > > well as all the hosts (host/FQDN) to have max life of 48
> > > > hours (2 days)
> > > > yet still ...
> > > >
> > > > argh..
> > > >
> > > >
> > > > ________________________________________________
> > > > Kerberos mailing list Kerberos at mit.edu
> > > > http://mailman.mit.edu/mailman/listinfo/kerberos
> > > >
> > >
> > > Visit our website at http://www.ubswarburg.com
> > >
> > > This message contains confidential information and is
> intended only
> > > for the individual named. If you are not the named addressee you
> > > should not disseminate, distribute or copy this e-mail. Please
> > > notify the sender immediately by e-mail if you have received this
> > > e-mail by mistake and delete this e-mail from your system.
> > >
> > > E-mail transmission cannot be guaranteed to be secure or
> error-free
> > > as information could be intercepted, corrupted, lost, destroyed,
> > > arrive late or incomplete, or contain viruses. The sender
> > therefore
> > > does not accept liability for any errors or omissions in
> > the contents
> > > of this message which arise as a result of e-mail
> transmission. If
> > > verification is required please request a hard-copy
> version. This
> > > message is provided for informational purposes and should not be
> > > construed as a solicitation or offer to buy or sell any
> > securities or
> > > related financial instruments.
> > >
> >
> > --
> > ---
> > Derek T. Yarnell
> > University of Maryland
> > Computer Science Department Unix Staff
> > derek at cs.umd.edu
> >
>
Visit our website at http://www.ubswarburg.com
This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.
More information about the Kerberos
mailing list