Hi,

Thank you very much for the information,it's very helpful.
I will give it a try and will let you know.

Ido Levy
IBM R&D Labs in Israel




"Sachin
Punadikar"
@gmail.com> Ido Levy/Haifa/IBM@IBMIL
cc
16/11/2007 06:48 kerberos@mit.edu
Subject
Re: How to set Kerberos 5 ticket
lifetime










Hi,

here is the formula which governs the ticket_lifetime. So look at it
and make corresponding changes in your configuration
ticket lifetime = minimum of ( "max_life" from kdc.conf file,
"ticket_lifetime" from
krb5.conf,
"maxlife" of ticket
granting service, i.e. krbtgt/realm_name,
"maxlife" of the principle/user)

Hope this helps.

- Sachin.

On Nov 15, 2007 7:09 PM, Ido Levy wrote:
>
> Hello,
>
> I would appreciate your advice on what is the best way to set default
> kerberos 5 ticket lifetime
> and what are the necessary configuration in the server and the client

side.
>
> I tried the following configuration but it didn't seems to work:
>
> Server Side
>
> 1) The file kdc.conf -
>
> I set "max_life = 168h 0m 0s" under the [realms] section.
>
> 2) I have also modified the principal and set its maxlife option as

follows
>
> > kadmin.local

> Attempting to bind to one or more LDAP servers. This may take

a
> while...
> kadmin.local: modify_principal -maxlife 168hours test@REALM
> Principal "test@REALM" modified.
> kadmin.local: getprinc test@REALM
> Principal: test@REALM
> Expiration date: [never]
> Last password change: Thu Nov 15 13:53:50 IST 2007
> Password expiration date: Wed Feb 13 13:53:50 IST 2008
> Maximum ticket life: 7 days 00:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Thu Nov 15 15:32:10 IST 2007
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 4
> Key: vno 4, Triple DES cbc mode with HMAC/sha1,
> no salt
> Key: vno 4, ArcFour with HMAC/md5,
> no salt
> Key: vno 4, AES-256 CTS mode with 96-bit SHA-1 HMAC,
> no salt
> Key: vno 4, DES cbc mode with RSA-MD5,
> no salt
>
> Attributes:
> REQUIRES_PRE_AUTH
> Policy: default
>
> Linux Client Side:
>
> No special configuration here
>
>
> Thank you in advance,
>
> Ido Levy
> IBM R&D Labs in Israel
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>