Ticket lifetimes > 10 hrs?
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Nov 15 10:49:31 EST 2002
> - Unless you are using the server principals to get tickets, I
> don't see any reason to reset those values. Yes, you will get
> service tickets with a shorter lifetime, but so what? As long
> as you have a krbtgt you can get all the service tickets you
> need[1].
Have you ever actually done this? It completely sucks. The problem is
that the expiration time for a service ticket is calculated based on
the start time of the TGT plus minimum of the service ticket lifetime,
TGT lifetime, and max realm lifetime[1]. _This_ means that if you have a
TGT with a ten hour lifetime, and your service ticket is only good for
5 hours, your service ticket will only be good for 5 hours ... and you
CANNOT get a new ticket for that service without acquiring a new TGT.
I always advice people to crank up the service ticket times to their
max realm lifetime (unless there is some reason they really want a
particular service shorter).
--Ken
[1] - If your curious, the actual code in the MIT KDC is as follows:
until = (request->till == 0) ? kdc_infinity : request->till;
enc_tkt_reply.times.endtime =
min(until, min(enc_tkt_reply.times.starttime + server.max_life,
min(enc_tkt_reply.times.starttime + max_life_for_realm,
header_ticket->enc_part2->times.endtime)));
So the service ticket end time is technically the minimum of:
- Requested lifetime
- TGT start time plus service principal maximum lifetime (server.max_life)
- TGT start time plus maximum realm lifetime
- TGT end time
More information about the Kerberos
mailing list