How to set Kerberos 5 ticket lifetime

Ido Levy IDOL at il.ibm.com
Fri Nov 16 11:13:23 EST 2007 

Hi,

Thank you very much for the information,it's very helpful.
I will give it a try and will let you know.

Ido Levy
IBM R&D Labs in Israel



                                                                           
             "Sachin                                                       
             Punadikar"                                                    
             <punadikar.sachin                                          To 
             @gmail.com>               Ido Levy/Haifa/IBM at IBMIL            
                                                                        cc 
             16/11/2007 06:48          kerberos at mit.edu                    
                                                                   Subject 
                                       Re: How to set Kerberos 5 ticket    
                                       lifetime                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi,

here is the formula which governs the ticket_lifetime. So look at it
and make corresponding changes in your configuration
ticket lifetime = minimum of ( "max_life" from kdc.conf file,
                                           "ticket_lifetime" from
krb5.conf,
                                           "maxlife" of ticket
granting service, i.e. krbtgt/realm_name,
                                           "maxlife" of the principle/user)

Hope this helps.

- Sachin.

On Nov 15, 2007 7:09 PM, Ido Levy <IDOL at il.ibm.com> wrote:
>
> Hello,
>
> I would appreciate your advice on what is the best way to set default
> kerberos 5 ticket lifetime
> and what are the necessary configuration in the server and the client
side.
>
> I tried the following configuration but it didn't seems to work:
>
> Server Side
>
> 1) The file kdc.conf -
>
>       I set "max_life = 168h 0m 0s" under the [realms] section.
>
> 2) I have also modified the principal and set its maxlife option as
follows
>
>             > kadmin.local
>             Attempting to bind to one or more LDAP servers. This may take
a
> while...
>             kadmin.local:  modify_principal -maxlife 168hours test at REALM
>             Principal "test at REALM" modified.
>             kadmin.local:  getprinc test at REALM
>             Principal: test at REALM
>             Expiration date: [never]
>             Last password change:  Thu Nov 15 13:53:50 IST 2007
>             Password expiration date: Wed Feb 13 13:53:50 IST 2008
>             Maximum ticket life: 7 days 00:00:00
>             Maximum renewable life: 7 days 00:00:00
>             Last modified: Thu Nov 15 15:32:10 IST 2007
>             Last successful authentication: [never]
>             Last failed authentication: [never]
>             Failed password attempts: 0
>             Number of keys: 4
>             Key: vno 4, Triple DES cbc mode with HMAC/sha1,
>             no salt
>             Key: vno 4, ArcFour with HMAC/md5,
>             no salt
>             Key: vno 4, AES-256 CTS mode with 96-bit SHA-1 HMAC,
>             no salt
>             Key: vno 4, DES cbc mode with RSA-MD5,
>             no salt
>
>             Attributes:
>                    REQUIRES_PRE_AUTH
>             Policy: default
>
> Linux Client Side:
>
> No special configuration here
>
>
> Thank you in advance,
>
> Ido Levy
> IBM R&D Labs in Israel
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list