Unable to change lifetime with MIT krb5
Kevin Coffman
kwc at citi.umich.edu
Sun Jan 27 22:45:57 EST 2008
On Jan 27, 2008 10:01 PM, <vandegrift at gmail.com> wrote:
> Hi everyone,
>
> I have a simple MIT Kerberos config. One KDC/KAS, a handful of
> client. I have a principal that I'd like to allow 24h expiration
> times on tickets.
>
> My kdc.conf has "max_life = 24h 0m 0s", but if I run "kinit -l 24h", I
> still get the default 10h expiration time.
>
> I noticed that the principal had been created with a 10h max life, so
> I did "modprinc -maxlife '24 hours' ross". The new lifetime is
> reflected in the getprinc output.
>
> Still, kinit only gets me a 10h ticket. What gives?
>
> I'm using the krb5 packages from Debian, if that makes a difference.
> Thanks!
>
> Ross
You also have to increase the maximum lifetime of the service you are
authenticating to. In this case that is the krbtgt service
(krbtgt/REALM at REALM).
K.C.
More information about the Kerberos
mailing list