krb5.conf variations, was: Renewable Tickets

Henry B. Hotz hotz at jpl.nasa.gov
Thu Oct 28 18:15:14 EDT 2004


On Oct 25, 2004, at 4:04 PM, kerberos-request at mit.edu wrote:

> First, I'd like to mention I was mistaken when I said the 'libdefaults'
> section, I meant 'appdefaults', such as:
>
> [appdefaults]
>  ticket_lifetime = 30days
>  renew_lifetime = 180days
>
> or alternatively, within a 'kinit' subgroup.

I'm running with:

[appdefaults]
	renewable = true
[libdefaults]
	renew_lifetime = 7d

on my Solaris clients and it seems to do the right thing (against a  
Heimdal kdc).  Looking at the Solaris 9 krb5.conf man page I see  
max_renewable_life as an [appdefaults] option, but nothing else.   
Perhaps the renew_lifetime line isn't needed?

I suspect the renew_lifetime line is a carryover from some other  
krb5.conf.  In Heimdal it can go in either section and "7d" is OK (vice  
7days).

An MIT 1.3 man page does not mention max_renewable_life, and puts  
renew_lifetime in [libdefaults] only.

I suppose I shouldn't complain.  Everyone really is pretty compatible  
if you're willing to deal with the details.  That indicates serious  
effort on the part of all the implementors, free and commercial alike.
------------------------------------------------------------------------ 
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu



More information about the Kerberos mailing list