Ticket lifetimes > 10 hrs?

Mike Friedman mikef at ack.Berkeley.EDU
Thu Nov 14 13:25:19 EST 2002

On Thu Nov 14 10:17:42 2002, Ken Hornstein said:

>>I seem to be having the same problem.  I'm running krb5-1.2.5.  I changed my
>>kdc.conf so that max_life = 25h 0m 0s.  I then restarted kadmind and created
>>a test principal.  Sure enough, its max life was 25 hours.  But when I did a
>>'kinit -l 20h' for the principal, I got a TGT which would expire in 10 hours!
>>I took a look at the max life for my krbtgt/<REALM> and it's 21:15:00 (which
>>is what it was before I changed kdc.conf).  So, what else should I be looking
> Did you restart your KDC as well?

Oops, no I hadn't!  So, I just restarted krb5kdc and that seems to do it.
Of course, I still can't get a TGT with a lifetime greater than 21:15:00,
which is the max life set for my krbtgt principal.  But at least I know
that 'kinit -l' isn't broken.



Mike Friedman                             System and Network Security
mikef at ack.Berkeley.EDU                    2484 Shattuck Avenue
1-510-642-1410                            University of California at Berkeley
http://ack.Berkeley.EDU/~mikef            http://security.berkeley.edu

More information about the Kerberos mailing list