Long-running jobs with renewal of krb5 tickets and AFS tokens

Nicolas Williams Nicolas.Williams at sun.com
Mon Mar 2 21:34:49 EST 2009

On Mon, Mar 02, 2009 at 09:02:59PM -0500, Jason Edgecombe wrote:
> Nicolas Williams wrote:
> >I have seen sites use on the order of months for the renewable ticket
> >lifetime, but still hours for normal ticket lifetime.  If you already
> >use seven days for renew life you might as well double it -- whatever
> >your threat model is, if you can accept seven days then chances are you
> >can accept fourteen.
> >  
> Doubling it wouldn't really help. It would probably need to be on the 
> order of a month. If I were to change the renewable lifetime, I need to 
> change all principals, the client krb5.conf and the server kdc.conf. Is 
> that correct?

Hmmm, not sure.  The client ought to ask for infinity, but I don't think
that's the default, sadly.  The kdc.conf parameters in question are best
not used -- you can use kadmin policies instead.  Also, IIRC the TGS
principal's renew life puts a bound on all, IIRC, so generally you might
want to set principals' renewable ticket life to be very long, and use
the TGS principal as a big hammer.


More information about the Kerberos mailing list