[29155] in Kerberos
Re: Unable to change lifetime with MIT krb5
daemon@ATHENA.MIT.EDU (vandegrift@gmail.com)
Mon Jan 28 01:15:22 2008
From: vandegrift@gmail.com
Date: Sun, 27 Jan 2008 22:02:34 -0800 (PST)
Message-ID: <38efd23d-e7b0-4a9a-ad9e-84766ea2cebc@h11g2000prf.googlegroups.com>
Mime-Version: 1.0
X-Complaints-To: groups-abuse@google.com
Complaints-To: groups-abuse@google.com
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Jan 27, 10:45 pm, "Kevin Coffman" <k...@citi.umich.edu> wrote:
> On Jan 27, 2008 10:01 PM, <vandegr...@gmail.com> wrote:
>
>
>
> > Hi everyone,
>
> > I have a simple MIT Kerberos config. One KDC/KAS, a handful of
> > client. I have a principal that I'd like to allow 24h expiration
> > times on tickets.
>
> > My kdc.conf has "max_life = 24h 0m 0s", but if I run "kinit -l 24h", I
> > still get the default 10h expiration time.
>
> > I noticed that the principal had been created with a 10h max life, so
> > I did "modprinc -maxlife '24 hours' ross". The new lifetime is
> > reflected in the getprinc output.
>
> > Still, kinit only gets me a 10h ticket. What gives?
>
> > I'm using the krb5 packages from Debian, if that makes a difference.
> > Thanks!
>
> > Ross
>
> You also have to increase the maximum lifetime of the service you are
> authenticating to. In this case that is the krbtgt service
> (krbtgt/REALM@REALM).
>
> K.C.
Wonderful; works like a charm!
Thanks,
Ross
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
