maxlife parameter not being honored?!
Gary LaVoy
glavoy at apple.com
Wed Jun 9 16:28:35 EDT 2004
It appears that if I change the maxlife parameter in kdc.conf to
something > whatever I had it set for then I originally created the
principal DB, it will not be honored and the maximum life time I can
assign to a user ticket is limited to whatever it was when I set up the
db.
ex:
from kdc.conf
max_life = 0d 1h 0m 0s
create your db, put people in it.
change max life:
max_life = 7d 0h 0m 0s
change a users maxlife parameter with kadmin
modprinc -maxlife "4h" testuser
now, authenticate with that user using kinit for example
kinit testuser
and you will see that the max life for the user is 1 hour.
I tried kinit -l 4h testuser
same result.
If I COMPLETELY blow away the db and recreate it with kdc.conf set to
7days from the start, then it will work.
what am I missing here? bug? feature? something else I missed??
thanks in advance for any help!!
Gary
More information about the Kerberos
mailing list