Long-running jobs with renewal of krb5 tickets and AFS tokens

Jason Edgecombe jason at rampaginggeek.com
Mon Mar 2 21:02:59 EST 2009

Nicolas Williams wrote:
> On Sat, Feb 28, 2009 at 11:40:26PM -0500, Jason Edgecombe wrote:
>> I guess setting things for renewable tickets longer than 7 days or 
>> running the jobs in local disk will be easiest.
>> We have a 7 day normal/renewable lifetime. What length do other sites have?
> I have seen sites use on the order of months for the renewable ticket
> lifetime, but still hours for normal ticket lifetime.  If you already
> use seven days for renew life you might as well double it -- whatever
> your threat model is, if you can accept seven days then chances are you
> can accept fourteen.
Doubling it wouldn't really help. It would probably need to be on the 
order of a month. If I were to change the renewable lifetime, I need to 
change all principals, the client krb5.conf and the server kdc.conf. Is 
that correct?


More information about the Kerberos mailing list