Maximum ticket lifetimes?

Tillman Hodgson tillman at
Fri Nov 19 13:07:50 EST 2004

On Thu, Nov 18, 2004 at 08:59:41AM -0500, Eric Jonas wrote:
> I have deployed an MIT kerberos KDC in my lab, and am attempting to
> lengthen the ticket lifetime to a full day (this is using debian stable,
> kerberos version  1.2.4-5woody6).
> I've edited  /etc/krb5kdc/kdc.conf to have max_life = 24h
> and via kadmin:
> modprinc -maxlife "1 day" krbtgt/MWL.AI.MIT.EDU at MWL.AI.MIT.EDU
> modprinc -maxlife "1 day" jonas at MWL.AI.MIT.EDU
> getprinc shows that both of these were successful. Then I restarted the
> kdc and kdc-admin processes on the kdc.

Between this paragraph and the next, your testing methods and problem
description appear to be missing :-)

How are you calling kinit? (e.g., `kinit -l24h`)? What is the output of

> I'm really stumped at this point because all the mailing list posts with
> these questions highlighted the importance of changing the maximum life on
> the above tickets as well as the kdc, which I've done.

That's the common stumbling block in my experience, yup.

> Is there something obvious I'm missing, or someplace I should look for
> more data? Also, is there someplace I can set the "24h" to be the maximum
> lifetime for all tickets created in the future?

One thing that comes to mind is that "maxinum" != "default". Are you
calling kinit with a ticket length parameter?


Page 12: Unix is a set of tools for smart people.
	- Harley Hahn, _The Unix Companion_

More information about the Kerberos mailing list