Ticket lifetimes > 10 hrs?

Mike Friedman mikef at ack.Berkeley.EDU
Thu Nov 14 11:09:09 EST 2002

On Wed Nov 13 04:47:57 2002, Sam Hartman said:

> However kinit -l  should work.
> Confirm that you can do something like 
> kinit -l 22:00:00
> I know that works
> Then try bumping up the lifetime until you run into problems and let
> us know where things start breaking.

I seem to be having the same problem.  I'm running krb5-1.2.5.  I changed my
kdc.conf so that max_life = 25h 0m 0s.  I then restarted kadmind and created
a test principal.  Sure enough, its max life was 25 hours.  But when I did a
'kinit -l 20h' for the principal, I got a TGT which would expire in 10 hours!

I took a look at the max life for my krbtgt/<REALM> and it's 21:15:00 (which
is what it was before I changed kdc.conf).  So, what else should I be looking


Mike Friedman                             System and Network Security
mikef at ack.Berkeley.EDU                    2484 Shattuck Avenue
1-510-642-1410                            University of California at Berkeley
http://ack.Berkeley.EDU/~mikef            http://security.berkeley.edu

More information about the Kerberos mailing list