Renewable Tickets
Phil Dibowitz
phil at usc.edu
Mon Oct 25 16:51:04 EDT 2004
On Mon, Oct 25, 2004 at 04:46:21PM -0400, Kevin Coffman wrote:
> > > Also check the properties on the client and service principals
> > > (including the krbtgt principals). I forget whether max renewable
> > > lifetime is one of them, but if it is, it would be set when the
> > > principal is created or when you use "modprinc" in kadmin, and the
> > > config file specifications won't extend it, only (potentially) further
> > > limit it.
> >
> > You had me all excited for a minute... but no:
> >
> > kadmin: getprinc phil
> > ...
> > Maximum renewable life: 7 days 00:00:00
>
>
> That's the client. What about
> getprinc krbtgt/ISD.USC.EDU at ISD.USC.EDU ?
Aha!
Maximum renewable life: 0 days 00:00:00
So... "krbtgt" is the principal for... the domain? I'm still catching up on
Kerberos here.
so a
modprinc -maxrenewlife 7d krbtgt/ISD.USC.EDU at ISD.USC.EDU
Should fix this?
--
Phil Dibowitz
Systems Architect and Administrator
Enterprise Infrastructure / ISD / USC
UCC 174 - 213-821-5427
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20041025/8ecb1f75/attachment.bin
More information about the Kerberos
mailing list