Help with ticket expiry
Andrew B. Young
andrew at an3e.org
Fri Sep 22 15:49:02 EDT 2006
Ken H.,
I do not have a /etc/kdc.conf, only
/usr/kerberos/share/examples/krb5/kdc.conf.
My /etc/krb5.conf file already has a [realms] section, where I define
AN3E.ORG.
I tried adding max_life and max_renewable_life = 72h in my realm defined
in /etc/krb5.conf with no noticeable affect after--
[ayoung:ayoung at ns1 ~]$ sudo /etc/rc.d/init.d/krb5kdc restart
[ayoung:ayoung at ayoung-g219 ~]$ kdestroy;kinit -l 72h;klist
Valid starting Expires Service principal
09/22/06 12:45:25 09/23/06 12:45:25 krbtgt/AN3E.ORG at AN3E.ORG
renew until 09/22/06 12:45:25
-andyy
Ken Hornstein wrote:
>> From the posts I've discovered this should be all I need do to increase
>> the expire for the principal "ayoung". Any thoughts? Thanks much!
>>
>
> The information you read was wrong.
>
> You need to increase the following things:
>
> - The expiration time on the user principal (which you did)
> - The expiration time on the krbtgt principal (which you did do)
> - The "max_life" parameter in kdc.conf (which it does not look like you did)
>
> You should also probably change the expiration time on all of your service
> principals as well.
>
> I am not convinced "ticket_lifetime" is necessarily correct, but I would
> do "kinit -l 72h" to be extra sure.
>
> --Ken
>
More information about the Kerberos
mailing list