Renewable Tickets
Kevin Coffman
kwc at citi.umich.edu
Mon Oct 25 16:54:31 EDT 2004
> -----Original Message-----
> From: Phil Dibowitz [mailto:phil at usc.edu]
> Sent: Monday, October 25, 2004 4:51 PM
> To: Kevin Coffman
> Cc: kerberos at MIT.EDU
> Subject: Re: Renewable Tickets
>
> On Mon, Oct 25, 2004 at 04:46:21PM -0400, Kevin Coffman wrote:
> > > > Also check the properties on the client and service principals
> > > > (including the krbtgt principals). I forget whether max renewable
> > > > lifetime is one of them, but if it is, it would be set when the
> > > > principal is created or when you use "modprinc" in kadmin, and the
> > > > config file specifications won't extend it, only (potentially)
> further
> > > > limit it.
> > >
> > > You had me all excited for a minute... but no:
> > >
> > > kadmin: getprinc phil
> > > ...
> > > Maximum renewable life: 7 days 00:00:00
> >
> >
> > That's the client. What about
> > getprinc krbtgt/ISD.USC.EDU at ISD.USC.EDU ?
>
> Aha!
>
> Maximum renewable life: 0 days 00:00:00
>
> So... "krbtgt" is the principal for... the domain? I'm still catching up
> on
> Kerberos here.
It is the principal for the Ticket Granting Service.
> so a
> modprinc -maxrenewlife 7d krbtgt/ISD.USC.EDU at ISD.USC.EDU
>
> Should fix this?
Yes :-)
More information about the Kerberos
mailing list