maxlife parameter not being honored?!

Tom Yu tlyu at MIT.EDU
Wed Jun 9 16:56:53 EDT 2004


>>>>> "Gary" == Gary LaVoy <glavoy at apple.com> writes:

Gary> It appears that if I change the maxlife parameter in kdc.conf to
Gary> something > whatever I had it set for then I originally created the
Gary> principal DB, it will not be honored and the maximum life time I can
Gary> assign to a user ticket is limited to whatever it was when I set up
Gary> the db.


[...]


Gary> If I COMPLETELY blow away the db and recreate it with kdc.conf set to
Gary> 7days from the start, then it will work.

The KDC database stores the maximum and renewable maximum lifetimes on
a per-principal basis.  This is arguably a bug in the design.  The KDC
will take the smallest of all the involved lifetimes (client, server,
any the TGS-REQ ticket) as the lifetime of the issued ticket.  You'll
have to change the lifetimes on the client principal and the TGT
principal, as well as on any service principal you wish to
authenticate to.

[maybe this should be a FAQ...]

---Tom


More information about the Kerberos mailing list