Discussion:
kerberos ticket lifetime in Heimdal
(too old to reply)
Victor Sudakov
2008-01-02 03:33:11 UTC
Permalink
Colleagues,

Running "kinit -l3d" or setting ticket_lifetime in krb5.conf results
in TGT's lifetime being 3 days, however all service tickets' lifetime
is still 1 day, like this:

Issued Expires Principal
Jan 2 09:27:44 Jan 5 09:27:44 krbtgt/***@SIBPTUS.TOMSK.RU
Jan 2 09:27:47 Jan 3 09:27:47 host/***@SIBPTUS.TOMSK.RU

How can I configure Kerberos so that all service tickets also get a
lifetime of 3 days?

TIA.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/***@fidonet http://vas.tomsk.ru/
Russ Allbery
2008-01-02 04:29:44 UTC
Permalink
Post by Victor Sudakov
Running "kinit -l3d" or setting ticket_lifetime in krb5.conf results
in TGT's lifetime being 3 days, however all service tickets' lifetime
Issued Expires Principal
How can I configure Kerberos so that all service tickets also get a
lifetime of 3 days?
You probably need to change the maximum ticket lifetime for all of those
principals in the KDC.
--
Russ Allbery (***@stanford.edu) <http://www.eyrie.org/~eagle/>
Victor Sudakov
2008-01-02 06:31:08 UTC
Permalink
Post by Russ Allbery
Post by Victor Sudakov
Running "kinit -l3d" or setting ticket_lifetime in krb5.conf results
in TGT's lifetime being 3 days, however all service tickets' lifetime
Issued Expires Principal
How can I configure Kerberos so that all service tickets also get a
lifetime of 3 days?
You probably need to change the maximum ticket lifetime for all of those
principals in the KDC.
Thank you, it worked.

Is there a way to set the default maximum ticket lifetime for all
newly created principals?

I usually create new host principals by running "ktutil get" on the
host itself.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/***@fidonet http://vas.tomsk.ru/
Victor Sudakov
2008-01-02 06:55:21 UTC
Permalink
Post by Victor Sudakov
Post by Russ Allbery
You probably need to change the maximum ticket lifetime for all of those
principals in the KDC.
Thank you, it worked.
Is there a way to set the default maximum ticket lifetime for all
newly created principals?
It seems that the "default" principal should be modified, i.e.
"modify --max-ticket-life=3d default"
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/***@fidonet http://vas.tomsk.ru/
Russ Allbery
2008-01-02 07:20:43 UTC
Permalink
Post by Victor Sudakov
Thank you, it worked.
Is there a way to set the default maximum ticket lifetime for all
newly created principals?
I usually create new host principals by running "ktutil get" on the
host itself.
I don't know in Heimdal; I assume there is, but I'm not familiar enough
with that implementation. In MIT Kerberos, it's a kdc.conf setting.
--
Russ Allbery (***@stanford.edu) <http://www.eyrie.org/~eagle/>
Victor Sudakov
2008-01-02 11:19:18 UTC
Permalink
Post by Russ Allbery
Post by Victor Sudakov
Is there a way to set the default maximum ticket lifetime for all
newly created principals?
I usually create new host principals by running "ktutil get" on the
host itself.
I don't know in Heimdal; I assume there is, but I'm not familiar enough
with that implementation. In MIT Kerberos, it's a kdc.conf setting.
In Heimdal, you modify the "default" principal.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/***@fidonet http://vas.tomsk.ru/
Loading...