ticket renew lifetime limited by Windows KDC policy

Di Pe dipeit at gmail.com
Wed Sep 1 16:59:24 EDT 2010


Hi,

We use kerberized nfs for our home directories on desktops and
computational servers. Users login via pam_krb5 and tickets are
refreshed via a cron job that checks if users are still logged on and
executes a kinit -R /tmp/ticketcache if they are to refresh the
ticket. If they are logged off their ticket cache is deleted. If the
ticket expires users are instantly cut off their home directory and
almost all processes freeze. Sometimes a reboot is required.
Some users stay logged onto a system for longer than 30 days. To
minimize the likelihood of this "freeze" to happen we increased
renew_lifetime from 7d to 90d in the local krb5.conf. Unfortunately
the renew lifetime is enforced by our Windows 2k3 KDC
(http://technet.microsoft.com/en-us/library/cc738269%28WS.10%29.aspx)
. We are debating if we should increase the ActiveDirectory policy
from 7d to 120d for all users.

What is the specific risk of increasing the renew lifetime? to 30days,
90days, 120days? For Windows and Unix systems?

Please take into account that our cron job is deleting all tickets of
users that are currently not logged on every hour. Also we need to use
weak crypto because our NetApp requires it.

What would be a better Kerberos setup? pam_winbind  instead of
pam_krb5? Other tools that can refresh/replace the TGT instead of
renewing it? These tools would have to store the user's password in
memory, wouldn't they?

Thanks much for your help
dipe



More information about the Kerberos mailing list