Victor Sudakov writes:

> Running "kinit -l3d" or setting ticket_lifetime in krb5.conf results
> in TGT's lifetime being 3 days, however all service tickets' lifetime
> is still 1 day, like this:
>
> Issued Expires Principal
> Jan 2 09:27:44 Jan 5 09:27:44 krbtgt/SIBPTUS.TOMSK.RU@SIBPTUS.TOMSK.RU
> Jan 2 09:27:47 Jan 3 09:27:47 host/big.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU
>
> How can I configure Kerberos so that all service tickets also get a
> lifetime of 3 days?

You probably need to change the maximum ticket lifetime for all of those
principals in the KDC.

--
Russ Allbery (rra@stanford.edu)

Russ Allbery wrote:

> > Running "kinit -l3d" or setting ticket_lifetime in krb5.conf results
> > in TGT's lifetime being 3 days, however all service tickets' lifetime
> > is still 1 day, like this:
> >
> > Issued Expires Principal
> > Jan 2 09:27:44 Jan 5 09:27:44 krbtgt/SIBPTUS.TOMSK.RU@SIBPTUS.TOMSK.RU
> > Jan 2 09:27:47 Jan 3 09:27:47 host/big.sibptus.tomsk.ru@SIBPTUS.TOMSK.RU
> >
> > How can I configure Kerberos so that all service tickets also get a
> > lifetime of 3 days?

> You probably need to change the maximum ticket lifetime for all of those
> principals in the KDC.

Thank you, it worked.

Is there a way to set the default maximum ticket lifetime for all
newly created principals?

I usually create new host principals by running "ktutil get" on the
host itself.

--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

Victor Sudakov wrote:

> > You probably need to change the maximum ticket lifetime for all of those
> > principals in the KDC.

> Thank you, it worked.

> Is there a way to set the default maximum ticket lifetime for all
> newly created principals?

It seems that the "default" principal should be modified, i.e.
"modify --max-ticket-life=3d default"

--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/

Victor Sudakov writes:

> Thank you, it worked.
>
> Is there a way to set the default maximum ticket lifetime for all
> newly created principals?
>
> I usually create new host principals by running "ktutil get" on the
> host itself.

I don't know in Heimdal; I assume there is, but I'm not familiar enough
with that implementation. In MIT Kerberos, it's a kdc.conf setting.

--
Russ Allbery (rra@stanford.edu)

Russ Allbery wrote:
> >
> > Is there a way to set the default maximum ticket lifetime for all
> > newly created principals?
> >
> > I usually create new host principals by running "ktutil get" on the
> > host itself.

> I don't know in Heimdal; I assume there is, but I'm not familiar enough
> with that implementation. In MIT Kerberos, it's a kdc.conf setting.

In Heimdal, you modify the "default" principal.


--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/