krb5.conf variations, was: Renewable Tickets

Henry B. Hotz hotz at
Thu Oct 28 18:15:14 EDT 2004

On Oct 25, 2004, at 4:04 PM, kerberos-request at wrote:

> First, I'd like to mention I was mistaken when I said the 'libdefaults'
> section, I meant 'appdefaults', such as:
> [appdefaults]
>  ticket_lifetime = 30days
>  renew_lifetime = 180days
> or alternatively, within a 'kinit' subgroup.

I'm running with:

	renewable = true
	renew_lifetime = 7d

on my Solaris clients and it seems to do the right thing (against a  
Heimdal kdc).  Looking at the Solaris 9 krb5.conf man page I see  
max_renewable_life as an [appdefaults] option, but nothing else.   
Perhaps the renew_lifetime line isn't needed?

I suspect the renew_lifetime line is a carryover from some other  
krb5.conf.  In Heimdal it can go in either section and "7d" is OK (vice  

An MIT 1.3 man page does not mention max_renewable_life, and puts  
renew_lifetime in [libdefaults] only.

I suppose I shouldn't complain.  Everyone really is pretty compatible  
if you're willing to deal with the details.  That indicates serious  
effort on the part of all the implementors, free and commercial alike.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at, or hbhotz at

More information about the Kerberos mailing list