Unable to change lifetime with MIT krb5 - Kerberos

This is a discussion on Unable to change lifetime with MIT krb5 - Kerberos ; Hi everyone, I have a simple MIT Kerberos config. One KDC/KAS, a handful of client. I have a principal that I'd like to allow 24h expiration times on tickets. My kdc.conf has "max_life = 24h 0m 0s", but if I ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Unable to change lifetime with MIT krb5

  1. Unable to change lifetime with MIT krb5

    Hi everyone,

    I have a simple MIT Kerberos config. One KDC/KAS, a handful of
    client. I have a principal that I'd like to allow 24h expiration
    times on tickets.

    My kdc.conf has "max_life = 24h 0m 0s", but if I run "kinit -l 24h", I
    still get the default 10h expiration time.

    I noticed that the principal had been created with a 10h max life, so
    I did "modprinc -maxlife '24 hours' ross". The new lifetime is
    reflected in the getprinc output.

    Still, kinit only gets me a 10h ticket. What gives?

    I'm using the krb5 packages from Debian, if that makes a difference.
    Thanks!

    Ross

  2. Re: Unable to change lifetime with MIT krb5

    On Jan 27, 2008 10:01 PM, wrote:
    > Hi everyone,
    >
    > I have a simple MIT Kerberos config. One KDC/KAS, a handful of
    > client. I have a principal that I'd like to allow 24h expiration
    > times on tickets.
    >
    > My kdc.conf has "max_life = 24h 0m 0s", but if I run "kinit -l 24h", I
    > still get the default 10h expiration time.
    >
    > I noticed that the principal had been created with a 10h max life, so
    > I did "modprinc -maxlife '24 hours' ross". The new lifetime is
    > reflected in the getprinc output.
    >
    > Still, kinit only gets me a 10h ticket. What gives?
    >
    > I'm using the krb5 packages from Debian, if that makes a difference.
    > Thanks!
    >
    > Ross


    You also have to increase the maximum lifetime of the service you are
    authenticating to. In this case that is the krbtgt service
    (krbtgt/REALM@REALM).

    K.C.

  3. Re: Unable to change lifetime with MIT krb5

    On Jan 27, 10:45 pm, "Kevin Coffman" wrote:
    > On Jan 27, 2008 10:01 PM, wrote:
    >
    >
    >
    > > Hi everyone,

    >
    > > I have a simple MIT Kerberos config. One KDC/KAS, a handful of
    > > client. I have a principal that I'd like to allow 24h expiration
    > > times on tickets.

    >
    > > My kdc.conf has "max_life = 24h 0m 0s", but if I run "kinit -l 24h", I
    > > still get the default 10h expiration time.

    >
    > > I noticed that the principal had been created with a 10h max life, so
    > > I did "modprinc -maxlife '24 hours' ross". The new lifetime is
    > > reflected in the getprinc output.

    >
    > > Still, kinit only gets me a 10h ticket. What gives?

    >
    > > I'm using the krb5 packages from Debian, if that makes a difference.
    > > Thanks!

    >
    > > Ross

    >
    > You also have to increase the maximum lifetime of the service you are
    > authenticating to. In this case that is the krbtgt service
    > (krbtgt/REALM@REALM).
    >
    > K.C.


    Wonderful; works like a charm!

    Thanks,
    Ross

+ Reply to Thread