Ticket lifetimes > 10 hrs?
Booker Bense
bbense at SLAC.Stanford.EDU
Thu Nov 14 17:34:33 EST 2002
On Thu, 14 Nov 2002, Ken Hornstein wrote:
> >Oops, no I hadn't! So, I just restarted krb5kdc and that seems to do it.
> >Of course, I still can't get a TGT with a lifetime greater than 21:15:00,
> >which is the max life set for my krbtgt principal. But at least I know
> >that 'kinit -l' isn't broken.
>
> So, I guess the key is you need to set:
>
> - max_life in kdc.conf
> - Restart kdc
> - desired lifetime on both client and krbtgt principal
- I've seen this question a least 3-4 times on the list.
Is it in the FAQ?
>
>(and probablyservice principals as well).
>
- Unless you are using the server principals to get tickets, I
don't see any reason to reset those values. Yes, you will get
service tickets with a shorter lifetime, but so what? As long
as you have a krbtgt you can get all the service tickets you
need[1].
- Booker C. Bense
[1]- except for changepw and others that require a direct
exchange.
More information about the Kerberos
mailing list