Unable to get max_life to work over 24 hours

Kreitzer, Ray Ray.Kreitzer at dcsg.com
Wed Oct 15 14:32:17 EDT 2003

Steve,  I cannot find anywhere that has 24 hours as the "minimum ticket
lifetime".  Can you suggest anywhere else to look?  I am assuming that by
"KDC configured max" you are referring to the settings in krb.conf.  When
you say "per-principal max" - which ones are you referring to? I can't get
the right combination of things to get this to work.  No matter what I do --
I can't get a ticket > 24 hours.  

-----Original Message-----
From: Steve Langasek [mailto:vorlon at dodds.net]
Sent: Monday, October 06, 2003 4:31 PM
To: Tony Lill
Cc: Kreitzer, Ray; 'kerberos at mit.edu'
Subject: Re: Unable to get max_life to work over 24 hours

On Sun, Oct 05, 2003 at 01:04:39AM -0400, Tony Lill wrote:
> You're missing the fact that the max life is hard coded, and any
> suggestion in the documentation that it's configurable is a bald-faced
> lie! If you want 3 days, you'll have to compile your own.

Er, no.  What you do have to do is take into account that the ticket
lifetime granted is the minimum of the requested ticket lifetime, the
KDC's configured maximum, and the per-principal maximum.

Steve Langasek
postmodern programmer

> --------------- http://www.ajlc.waterloo.on.ca/ ----------------
> "Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"
> Kreitzer, Ray <Ray.Kreitzer at dcsg.com> wrote:
>     Ray> I am running MIT Kerberos v5-1.2.8.   I am attempting to obtain a
>     Ray> with a life of  3 days.  I have set the max_life = 3d in the
kdc.conf and
>     Ray> have set the maxlife in the principal to 3d.  I run the kinit -l
3d but it
>     Ray> seems I can never get a ticket for more than 24 hours.  What am I
>     Ray> ___________________________________
>     Ray> Ray Kreitzer 
>     Ray> Sr. Database Administrator 
>     Ray> Dick's Sporting Goods 
>     Ray> 200 Industry Drive - RIDC Park West - Pittsburgh, PA  15275 
>     Ray> Phone (412) 809-0100 x3418  Fax (412) 809-0821 
>     Ray> Email   ray.kreitzer at dcsg.com 

More information about the Kerberos mailing list