kerberos ticket lifetime in Heimdal - Kerberos

This is a discussion on kerberos ticket lifetime in Heimdal - Kerberos ; Colleagues, Running "kinit -l3d" or setting ticket_lifetime in krb5.conf results in TGT's lifetime being 3 days, however all service tickets' lifetime is still 1 day, like this: Issued Expires Principal Jan 2 09:27:44 Jan 5 09:27:44 krbtgt/SIBPTUS.TOMSK.RU@SIBPTUS.TOMSK.RU Jan 2 09:27:47 ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: kerberos ticket lifetime in Heimdal

  1. kerberos ticket lifetime in Heimdal

    Colleagues,

    Running "kinit -l3d" or setting ticket_lifetime in krb5.conf results
    in TGT's lifetime being 3 days, however all service tickets' lifetime
    is still 1 day, like this:

    Issued Expires Principal
    Jan 2 09:27:44 Jan 5 09:27:44 krbtgt/SIBPTUS.TOMSK.RU@SIBPTUS.TOMSK.RU
    Jan 2 09:27:47 Jan 3 09:27:47 host/big.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU

    How can I configure Kerberos so that all service tickets also get a
    lifetime of 3 days?

    TIA.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  2. Re: kerberos ticket lifetime in Heimdal

    Victor Sudakov writes:

    > Running "kinit -l3d" or setting ticket_lifetime in krb5.conf results
    > in TGT's lifetime being 3 days, however all service tickets' lifetime
    > is still 1 day, like this:
    >
    > Issued Expires Principal
    > Jan 2 09:27:44 Jan 5 09:27:44 krbtgt/SIBPTUS.TOMSK.RU@SIBPTUS.TOMSK.RU
    > Jan 2 09:27:47 Jan 3 09:27:47 host/big.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU
    >
    > How can I configure Kerberos so that all service tickets also get a
    > lifetime of 3 days?


    You probably need to change the maximum ticket lifetime for all of those
    principals in the KDC.

    --
    Russ Allbery (rra@stanford.edu)

  3. Re: kerberos ticket lifetime in Heimdal

    Russ Allbery wrote:

    > > Running "kinit -l3d" or setting ticket_lifetime in krb5.conf results
    > > in TGT's lifetime being 3 days, however all service tickets' lifetime
    > > is still 1 day, like this:
    > >
    > > Issued Expires Principal
    > > Jan 2 09:27:44 Jan 5 09:27:44 krbtgt/SIBPTUS.TOMSK.RU@SIBPTUS.TOMSK.RU
    > > Jan 2 09:27:47 Jan 3 09:27:47 host/big.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU
    > >
    > > How can I configure Kerberos so that all service tickets also get a
    > > lifetime of 3 days?


    > You probably need to change the maximum ticket lifetime for all of those
    > principals in the KDC.


    Thank you, it worked.

    Is there a way to set the default maximum ticket lifetime for all
    newly created principals?

    I usually create new host principals by running "ktutil get" on the
    host itself.

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  4. Re: kerberos ticket lifetime in Heimdal

    Victor Sudakov wrote:

    > > You probably need to change the maximum ticket lifetime for all of those
    > > principals in the KDC.


    > Thank you, it worked.


    > Is there a way to set the default maximum ticket lifetime for all
    > newly created principals?


    It seems that the "default" principal should be modified, i.e.
    "modify --max-ticket-life=3d default"

    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

  5. Re: kerberos ticket lifetime in Heimdal

    Victor Sudakov writes:

    > Thank you, it worked.
    >
    > Is there a way to set the default maximum ticket lifetime for all
    > newly created principals?
    >
    > I usually create new host principals by running "ktutil get" on the
    > host itself.


    I don't know in Heimdal; I assume there is, but I'm not familiar enough
    with that implementation. In MIT Kerberos, it's a kdc.conf setting.

    --
    Russ Allbery (rra@stanford.edu)

  6. Re: kerberos ticket lifetime in Heimdal

    Russ Allbery wrote:
    > >
    > > Is there a way to set the default maximum ticket lifetime for all
    > > newly created principals?
    > >
    > > I usually create new host principals by running "ktutil get" on the
    > > host itself.


    > I don't know in Heimdal; I assume there is, but I'm not familiar enough
    > with that implementation. In MIT Kerberos, it's a kdc.conf setting.


    In Heimdal, you modify the "default" principal.


    --
    Victor Sudakov, VAS4-RIPE, VAS47-RIPN
    2:5005/49@fidonet http://vas.tomsk.ru/

+ Reply to Thread