Maximum ticket lifetimes?
Tillman Hodgson
tillman at seekingfire.com
Fri Nov 19 13:07:50 EST 2004
On Thu, Nov 18, 2004 at 08:59:41AM -0500, Eric Jonas wrote:
> I have deployed an MIT kerberos KDC in my lab, and am attempting to
> lengthen the ticket lifetime to a full day (this is using debian stable,
> kerberos version 1.2.4-5woody6).
>
> I've edited /etc/krb5kdc/kdc.conf to have max_life = 24h
>
> and via kadmin:
> modprinc -maxlife "1 day" krbtgt/MWL.AI.MIT.EDU at MWL.AI.MIT.EDU
> modprinc -maxlife "1 day" jonas at MWL.AI.MIT.EDU
>
> getprinc shows that both of these were successful. Then I restarted the
> kdc and kdc-admin processes on the kdc.
Between this paragraph and the next, your testing methods and problem
description appear to be missing :-)
How are you calling kinit? (e.g., `kinit -l24h`)? What is the output of
klist?
> I'm really stumped at this point because all the mailing list posts with
> these questions highlighted the importance of changing the maximum life on
> the above tickets as well as the kdc, which I've done.
That's the common stumbling block in my experience, yup.
> Is there something obvious I'm missing, or someplace I should look for
> more data? Also, is there someplace I can set the "24h" to be the maximum
> lifetime for all tickets created in the future?
One thing that comes to mind is that "maxinum" != "default". Are you
calling kinit with a ticket length parameter?
-T
--
Page 12: Unix is a set of tools for smart people.
- Harley Hahn, _The Unix Companion_
More information about the Kerberos
mailing list