[28742] in Kerberos
Re: How to set Kerberos 5 ticket lifetime
daemon@ATHENA.MIT.EDU (Sachin Punadikar)
Thu Nov 15 23:48:31 2007
Message-ID: <9549b1d80711152048v39f998a9s3ba9ee7784bd45d6@mail.gmail.com>
Date: Fri, 16 Nov 2007 10:18:11 +0530
From: "Sachin Punadikar" <punadikar.sachin@gmail.com>
To: "Ido Levy" <IDOL@il.ibm.com>
In-Reply-To: <OF18A825A8.8CD5CC1C-ONC2257394.0049BA24-C2257394.004AA1F6@il.ibm.com>
MIME-Version: 1.0
Content-Disposition: inline
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
here is the formula which governs the ticket_lifetime. So look at it
and make corresponding changes in your configuration
ticket lifetime = minimum of ( "max_life" from kdc.conf file,
"ticket_lifetime" from krb5.conf,
"maxlife" of ticket
granting service, i.e. krbtgt/realm_name,
"maxlife" of the principle/user)
Hope this helps.
- Sachin.
On Nov 15, 2007 7:09 PM, Ido Levy <IDOL@il.ibm.com> wrote:
>
> Hello,
>
> I would appreciate your advice on what is the best way to set default
> kerberos 5 ticket lifetime
> and what are the necessary configuration in the server and the client side.
>
> I tried the following configuration but it didn't seems to work:
>
> Server Side
>
> 1) The file kdc.conf -
>
> I set "max_life = 168h 0m 0s" under the [realms] section.
>
> 2) I have also modified the principal and set its maxlife option as follows
>
> > kadmin.local
> Attempting to bind to one or more LDAP servers. This may take a
> while...
> kadmin.local: modify_principal -maxlife 168hours test@REALM
> Principal "test@REALM" modified.
> kadmin.local: getprinc test@REALM
> Principal: test@REALM
> Expiration date: [never]
> Last password change: Thu Nov 15 13:53:50 IST 2007
> Password expiration date: Wed Feb 13 13:53:50 IST 2008
> Maximum ticket life: 7 days 00:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Thu Nov 15 15:32:10 IST 2007
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 4
> Key: vno 4, Triple DES cbc mode with HMAC/sha1,
> no salt
> Key: vno 4, ArcFour with HMAC/md5,
> no salt
> Key: vno 4, AES-256 CTS mode with 96-bit SHA-1 HMAC,
> no salt
> Key: vno 4, DES cbc mode with RSA-MD5,
> no salt
>
> Attributes:
> REQUIRES_PRE_AUTH
> Policy: default
>
> Linux Client Side:
>
> No special configuration here
>
>
> Thank you in advance,
>
> Ido Levy
> IBM R&D Labs in Israel
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
