Ticket lifetimes > 10 hrs?
RCU
nemesis at icequake.no_spam.net
Thu Nov 14 22:14:39 EST 2002
> What are the *exact* contents of your kdc.conf? What where the
> contents of kdc.conf when you set up your database and when you
> created the principals involved in the transactions you care about?
[kdcdefaults]
kdc_ports = 750,88
[realms]
MYREALM.NET = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/stash
kdc_ports = 750,88
max_life = 7d 0h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des-cbc-crc:v4 des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
default_principal_flags = +preauth
}
When the princpals and the kdc database were created, max_life was 10h 0m
0s. No other changes.
> You should keep in mind that each principal in the database has its
> own max lifetime and max renewable lifetime.
Yes; I have set the following principals to issue 7d tickets:
krbtgt/MYREALM
afs
K/M
krbadm
username (of the user)
I agree that having to modify the individual principals makes it pretty
difficult to administer. But regardless, this should work AFAIK, and I
can't seem to figure out where the problem is.
Thanks
More information about the Kerberos
mailing list