Ticket lifetimes > 10 hrs?

RCU nemesis at icequake.no_spam.net
Thu Nov 14 22:14:39 EST 2002

> What are the *exact* contents of your kdc.conf?  What where the
> contents of kdc.conf when you set up your database and when you
> created the principals involved in the transactions you care about?

        kdc_ports = 750,88

                database_name = /var/lib/krb5kdc/principal
                admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
                acl_file = /etc/krb5kdc/kadm5.acl
                key_stash_file = /etc/krb5kdc/stash
                kdc_ports = 750,88
                max_life = 7d 0h 0m 0s
                max_renewable_life = 7d 0h 0m 0s
                master_key_type = des3-hmac-sha1
                supported_enctypes = des-cbc-crc:v4 des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
                default_principal_flags = +preauth

When the princpals and the kdc database were created, max_life was 10h 0m
0s.  No other changes.

> You should keep in mind that each principal in the database has its
> own max lifetime and max renewable lifetime.

Yes; I have set the following principals to issue 7d tickets:
username (of the user)

I agree that having to modify the individual principals makes it pretty
difficult to administer.  But regardless, this should work AFAIK, and I
can't seem to figure out where the problem is.


More information about the Kerberos mailing list