Unable to change Kerberos Ticket Life and Renewal Life

Gaurav Dasgupta gdsayshi at gmail.com
Thu Apr 18 05:45:27 EDT 2013 

Got it. Will try this.

Thanks,
Gaurav


On Thu, Apr 18, 2013 at 2:30 PM, Tiago Elvas <tiagoelvas at gmail.com> wrote:

> Hi,
>
> I honestly don't know how to update all the users at the same time inside
> kadmin. However....
>
> My guess would be to:
>
>    - Create a keytab with root/admin credentials (I would suggest you
>    create a principal named root_script/admin or something)
>    - List all the principals in a bash script
>    - Loop in the list and modify all the principals using the keytab
>    previously created to connect through kadmin using the command:
>       - kadmin -p root_script/admin -k -t <keytab_filename> -q <query>
>       - <query> should be something a command as you were inside kadmin:
>       "modprinc...." to do whatever you want
>
> Hope the info was helpful.
>
> Best regards,
> Tiago
>
>
> On Thu, Apr 18, 2013 at 10:34 AM, rohit sarewar <rohitsarewar at gmail.com>wrote:
>
>> Hi Tiago
>>
>> As an Administrator , how can I renew all principals using a command.
>> There are large number of principals in my case.
>>
>> Regards
>> Rohit Sarewar
>>
>>
>> On Thu, Apr 18, 2013 at 1:53 PM, Tiago Elvas <tiagoelvas at gmail.com>wrote:
>>
>>> Hi Gaurav,
>>>
>>> I have received great help from this mailing list for the same issue.
>>> I think you'll find useful information in this topic:
>>>
>>> http://serverfault.com/questions/132123/how-to-change-the-kerberos-default-ticket-lifetime
>>>
>>> Best regards,
>>>
>>> Tiago
>>>
>>>
>>> On Thu, Apr 18, 2013 at 8:45 AM, Gaurav Dasgupta <gdsayshi at gmail.com>
>>> wrote:
>>>
>>> > Hi All,
>>> >
>>> > I have MIT Kerberos setup in a CentOS 6 cluster. Everything is working
>>> fine
>>> > except one thing. I want to change the default ticket life for all the
>>> > principals and their renewal time also. For that I have first changed
>>> the *
>>> > /etc/krb5.conf* to change the value of *ticket_lifetime = 7d* and
>>> > *renew_lifetime
>>> > = 30d*.
>>> >
>>> > Then I restarted the *krb5kdc* and *kadmin* services. Then, from the *
>>> > Kadmin.local* shell, I used the following commands:
>>> >
>>> > modprinc -maxrenewlife 7day krbtgt/MY_REALM
>>> > modprinc -maxrenewlife 7day +allow_renewable gaurav
>>> >
>>> > *Note*: *krbtgt/MY_REALM* is the default service principal and
>>> *gaurav* is
>>> > a user principal.
>>> >
>>> > Now, when I am doing *kinit* for *gaurav*, and then *klist* to check
>>> the
>>> > ticket details, I cannot see the new ticket_lifetime and renew_lifetime
>>> > reflected. Its showing the old (default) values of 24h
>>> (ticket_lifetime)
>>> > and 7d (renew_lifetime).
>>> >
>>> > I have also tried the command: *kinit -l 7d*. But this is also not
>>> working.
>>> >
>>> > Can someone tell me that how else I can change the ticket_lifetime and
>>> > renew_lifetime for all the principals?
>>> >
>>> > Thanks,
>>> > Gaurav
>>> > ________________________________________________
>>> > Kerberos mailing list           Kerberos at mit.edu
>>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>>> >
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>

More information about the Kerberos mailing list