Ticket lifetimes > 10 hrs?
Booker Bense
bbense at SLAC.Stanford.EDU
Fri Nov 15 11:04:04 EST 2002
On Fri, 15 Nov 2002, Ken Hornstein wrote:
> > - Unless you are using the server principals to get tickets, I
> > don't see any reason to reset those values. Yes, you will get
> > service tickets with a shorter lifetime, but so what? As long
> > as you have a krbtgt you can get all the service tickets you
> > need[1].
>
> Have you ever actually done this? It completely sucks. The problem is
> that the expiration time for a service ticket is calculated based on
> the start time of the TGT plus minimum of the service ticket lifetime,
> TGT lifetime, and max realm lifetime[1]. _This_ means that if you have a
> TGT with a ten hour lifetime, and your service ticket is only good for
> 5 hours, your service ticket will only be good for 5 hours ...
- That part I knew.
> and you
> CANNOT get a new ticket for that service without acquiring a new TGT.
>
- Um, that seems very broken. Is the problem just that the mk_req
routines are not checking the expiration time of the existing
service ticket?
- Booker C. Bense
More information about the Kerberos
mailing list