Ticket lifetimes > 10 hrs?
Ben Cox
cox-work at djehuti.com
Fri Nov 15 09:29:29 EST 2002
On Thu, 2002-11-14 at 17:34, Booker Bense wrote:
> - Unless you are using the server principals to get tickets, I
> don't see any reason to reset those values. Yes, you will get
> service tickets with a shorter lifetime, but so what? As long
> as you have a krbtgt you can get all the service tickets you
> need[1].
You might need to up the lifetimes on the service principals (and thus
the service tickets you get to talk to those principals) if your
application uses GSS-API and doesn't know to renegotiate a security
context when one expires (which apparently many don't). This should
probably be rare for GSS-API apps that were written with Kerberos in
mind.
See a discussion on the IETF krb-wg mailing list for details; subject
was "Can Authorization Data be retrieved through GSSAPI?" and it was on
Feb 15-19 2002. In particular an exchange between Sam Hartman and
Martin Rex on 19 Feb. (Ken, I can forward the exchange to you if it
would help in writing the FAQ entry.)
In any case, you probably only need to do that for the service
principals used by the servers for those particular applications, not
all service principals in general.
-- Ben
More information about the Kerberos
mailing list