Renewable Tickets

Kevin Coffman kwc at citi.umich.edu
Mon Oct 25 16:54:31 EDT 2004


> -----Original Message-----
> From: Phil Dibowitz [mailto:phil at usc.edu]
> Sent: Monday, October 25, 2004 4:51 PM
> To: Kevin Coffman
> Cc: kerberos at MIT.EDU
> Subject: Re: Renewable Tickets
> 
> On Mon, Oct 25, 2004 at 04:46:21PM -0400, Kevin Coffman wrote:
> > > > Also check the properties on the client and service principals
> > > > (including the krbtgt principals).  I forget whether max renewable
> > > > lifetime is one of them, but if it is, it would be set when the
> > > > principal is created or when you use "modprinc" in kadmin, and the
> > > > config file specifications won't extend it, only (potentially)
> further
> > > > limit it.
> > >
> > > You had me all excited for a minute... but no:
> > >
> > > kadmin:  getprinc phil
> > > ...
> > > Maximum renewable life: 7 days 00:00:00
> >
> >
> > That's the client.  What about
> > getprinc krbtgt/ISD.USC.EDU at ISD.USC.EDU  ?
> 
> Aha!
> 
> Maximum renewable life: 0 days 00:00:00
> 
> So... "krbtgt" is the principal for... the domain? I'm still catching up
> on
> Kerberos here.

It is the principal for the Ticket Granting Service.

> so a
>   modprinc -maxrenewlife 7d krbtgt/ISD.USC.EDU at ISD.USC.EDU
> 
> Should fix this?

Yes :-)



More information about the Kerberos mailing list