Long-running jobs with renewal of krb5 tickets and AFS tokens
Nicolas.Williams at sun.com
Mon Mar 2 21:34:49 EST 2009
On Mon, Mar 02, 2009 at 09:02:59PM -0500, Jason Edgecombe wrote:
> Nicolas Williams wrote:
> >I have seen sites use on the order of months for the renewable ticket
> >lifetime, but still hours for normal ticket lifetime. If you already
> >use seven days for renew life you might as well double it -- whatever
> >your threat model is, if you can accept seven days then chances are you
> >can accept fourteen.
> Doubling it wouldn't really help. It would probably need to be on the
> order of a month. If I were to change the renewable lifetime, I need to
> change all principals, the client krb5.conf and the server kdc.conf. Is
> that correct?
Hmmm, not sure. The client ought to ask for infinity, but I don't think
that's the default, sadly. The kdc.conf parameters in question are best
not used -- you can use kadmin policies instead. Also, IIRC the TGS
principal's renew life puts a bound on all, IIRC, so generally you might
want to set principals' renewable ticket life to be very long, and use
the TGS principal as a big hammer.
More information about the Kerberos