max_life problem

Benjamin Kaduk kaduk at MIT.EDU
Tue Aug 2 15:56:55 EDT 2016


On Mon, 1 Aug 2016, Greg Hudson wrote:

> On 08/01/2016 04:29 AM, Александр Баранин wrote:
> > I use mit kerberos, version krb5-1.14.2, compiled from source.
> > And I can't to force kdc to issue tickets for more than 10 hours.
>
> In addition to the realm setting, the client and server entries in the
> KDC database can also have a max_life value.  Using "getprinc" in
> kadmin, look at the "Maximum ticket life" on the user principal and on
> krbtgt/ALFA.IT.  Are either of them ten hours?  If so, you can change
> them with "modprinc -maxlife".

(It looks like this is on a Debian system, so I'll note that the debian
krb5-kdc package will create a kdc.conf that has max_life 10 hours on
first installation.  So, principals created when such a kdc.conf was in
place would be affected by it.)

-Ben


More information about the Kerberos mailing list