Ticket lifetimes > 10 hrs?

Ben Cox cox-work at djehuti.com
Fri Nov 15 09:29:29 EST 2002

On Thu, 2002-11-14 at 17:34, Booker Bense wrote:
> - Unless you are using the server principals to get tickets, I
> don't see any reason to reset those values. Yes, you will get
> service tickets with a shorter lifetime, but so what? As long
> as you have a krbtgt you can get all the service tickets you
> need[1].

You might need to up the lifetimes on the service principals (and thus
the service tickets you get to talk to those principals) if your
application uses GSS-API and doesn't know to renegotiate a security
context when one expires (which apparently many don't).  This should
probably be rare for GSS-API apps that were written with Kerberos in

See a discussion on the IETF krb-wg mailing list for details; subject
was "Can Authorization Data be retrieved through GSSAPI?" and it was on
Feb 15-19 2002.  In particular an exchange between Sam Hartman and
Martin Rex on 19 Feb.  (Ken, I can forward the exchange to you if it
would help in writing the FAQ entry.)

In any case, you probably only need to do that for the service
principals used by the servers for those particular applications, not
all service principals in general.

-- Ben

More information about the Kerberos mailing list