How to set Kerberos 5 ticket lifetime

Sachin Punadikar punadikar.sachin at gmail.com
Thu Nov 15 23:48:11 EST 2007 

Hi,

here is the formula which governs the ticket_lifetime. So look at it
and make corresponding changes in your configuration
ticket lifetime = minimum of ( "max_life" from kdc.conf file,
                                           "ticket_lifetime" from krb5.conf,
                                           "maxlife" of ticket
granting service, i.e. krbtgt/realm_name,
                                           "maxlife" of the principle/user)

Hope this helps.

- Sachin.

On Nov 15, 2007 7:09 PM, Ido Levy <IDOL at il.ibm.com> wrote:
>
> Hello,
>
> I would appreciate your advice on what is the best way to set default
> kerberos 5 ticket lifetime
> and what are the necessary configuration in the server and the client side.
>
> I tried the following configuration but it didn't seems to work:
>
> Server Side
>
> 1) The file kdc.conf -
>
>       I set "max_life = 168h 0m 0s" under the [realms] section.
>
> 2) I have also modified the principal and set its maxlife option as follows
>
>             > kadmin.local
>             Attempting to bind to one or more LDAP servers. This may take a
> while...
>             kadmin.local:  modify_principal -maxlife 168hours test at REALM
>             Principal "test at REALM" modified.
>             kadmin.local:  getprinc test at REALM
>             Principal: test at REALM
>             Expiration date: [never]
>             Last password change:  Thu Nov 15 13:53:50 IST 2007
>             Password expiration date: Wed Feb 13 13:53:50 IST 2008
>             Maximum ticket life: 7 days 00:00:00
>             Maximum renewable life: 7 days 00:00:00
>             Last modified: Thu Nov 15 15:32:10 IST 2007
>             Last successful authentication: [never]
>             Last failed authentication: [never]
>             Failed password attempts: 0
>             Number of keys: 4
>             Key: vno 4, Triple DES cbc mode with HMAC/sha1,
>             no salt
>             Key: vno 4, ArcFour with HMAC/md5,
>             no salt
>             Key: vno 4, AES-256 CTS mode with 96-bit SHA-1 HMAC,
>             no salt
>             Key: vno 4, DES cbc mode with RSA-MD5,
>             no salt
>
>             Attributes:
>                    REQUIRES_PRE_AUTH
>             Policy: default
>
> Linux Client Side:
>
> No special configuration here
>
>
> Thank you in advance,
>
> Ido Levy
> IBM R&D Labs in Israel
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list