Ticket lifetimes > 10 hrs?

Booker Bense bbense at SLAC.Stanford.EDU
Thu Nov 14 17:34:33 EST 2002

On Thu, 14 Nov 2002, Ken Hornstein wrote:

> >Oops, no I hadn't!  So, I just restarted krb5kdc and that seems to do it.
> >Of course, I still can't get a TGT with a lifetime greater than 21:15:00,
> >which is the max life set for my krbtgt principal.  But at least I know
> >that 'kinit -l' isn't broken.
> So, I guess the key is you need to set:
> - max_life in kdc.conf
> - Restart kdc
> - desired lifetime on both client and krbtgt principal

- I've seen this question a least 3-4 times on the list.
Is it in the FAQ?

>(and probablyservice principals as well).

- Unless you are using the server principals to get tickets, I
don't see any reason to reset those values. Yes, you will get
service tickets with a shorter lifetime, but so what? As long
as you have a krbtgt you can get all the service tickets you

- Booker C. Bense

[1]- except for changepw and others that require a direct

More information about the Kerberos mailing list