Questions Regarding User Tokens

[Ken Hornstein]

>   - How do we extend ticket lifetime to 14 days?
>      - We have tried to set the ticket lifetime to 14 days in krb5.conf
>      [realm] but it caps out to one day

First, assuming you're talking about the "ticket_lifetime" parameter,
that actually goes in the [libdefaults] stanza.  You can also specify the
lifetime parameter on the command line to kinit using the "-l" option
and that might be the most useful to start out during testing.

Where you're probably running into issues is that the ticket lifetime
is the MINIMUM of: the requested lifetime (via the -l option or the
ticket_lifetime parameter), the maximum lifetime set on the client
principal, and the maximum lifetime set on the service principal.  So
you need to modify the maximum lifetime on all of your clients AND
all of your services.  You can do this with the "modprinc -maxlife"
command inside of kadmin.  To even test this out with one user you'd
need to change that user's maximum lifetime AND the lifetime of the TGS
principal (krbtgt/REALM at REALM).

>   - How do we extend renewable ticket lifetime to 30 days?
>      - We set the variable to 30 days but it only caps out to 14 days.

See above, the same rules apply (with the exception that you're use
the "-maxrenewlife" option to modprinc).

>   - Kinit would sometimes give us an expiration date from the past

That maybe sounds like a clock synchronization problem?  If you could
give us details there, might be helpful.

>   - Kinit needs to be done on every single node you want to use. If, no
>   kinit then no access to NFS home directory.

Normally this is done at login time automatically, and when you log into
a remote system Kerberos tickets are forwarded.

If you are using a batch processing system then that is trickier; there
are some tricks there, but none of them are great if you don't have
a Kerberos aware queueing system.

--Ken