maxlife parameter not being honored?!

Gary LaVoy glavoy at
Wed Jun 9 16:28:35 EDT 2004

It appears that if I change the maxlife parameter in kdc.conf to 
something > whatever I had it set for then I originally created the 
principal DB, it will not be honored and the maximum life time I can 
assign to a user ticket is limited to whatever it was when I set up the 


from kdc.conf

                 max_life = 0d 1h 0m 0s

create your db, put people in it.

change   max life:

max_life = 7d 0h 0m 0s

change a users maxlife parameter with kadmin

modprinc -maxlife "4h" testuser

now, authenticate with that user using kinit for example

kinit testuser

and you will see that the max life for the user is 1 hour.

I tried kinit -l 4h testuser

same result.

If I COMPLETELY blow away the db and recreate it with kdc.conf set to 
7days from the start, then it will work.

what am I missing here? bug? feature? something else I missed??

thanks in advance for any help!!


More information about the Kerberos mailing list