Long-running jobs with renewal of krb5 tickets and AFS tokens
Jason Edgecombe
jason at rampaginggeek.com
Mon Mar 2 21:02:59 EST 2009
Nicolas Williams wrote:
> On Sat, Feb 28, 2009 at 11:40:26PM -0500, Jason Edgecombe wrote:
>
>> I guess setting things for renewable tickets longer than 7 days or
>> running the jobs in local disk will be easiest.
>>
>> We have a 7 day normal/renewable lifetime. What length do other sites have?
>>
>
> I have seen sites use on the order of months for the renewable ticket
> lifetime, but still hours for normal ticket lifetime. If you already
> use seven days for renew life you might as well double it -- whatever
> your threat model is, if you can accept seven days then chances are you
> can accept fourteen.
>
Doubling it wouldn't really help. It would probably need to be on the
order of a month. If I were to change the renewable lifetime, I need to
change all principals, the client krb5.conf and the server kdc.conf. Is
that correct?
Thanks,
Jason
More information about the Kerberos
mailing list