How to Change the Kerberos Default Ticket Lifetime
Posted
by user40497
on Server Fault
See other posts from Server Fault
or by user40497
Published on 2010-04-13T21:07:01Z
Indexed on
2010/04/13
21:13 UTC
Read the original article
Hit count: 445
kerberos
Our KDC servers are running either Ubuntu Dapper (2.6.15-28) or Hardy (2.6.24-19). The Kerberos software is the MIT implementation of Kerberos 5. By default, a Kerberos ticket lasts for 10 hours. However, we'd like to increase it a bit (e.g. 14 hours) to suit our needs better. I had done the following but the ticket lifetime still stays at 10 hours:
1) On all the KDC servers, set the following parameter under [realms] in /etc/krb5kdc/kdc.conf and restarted the KDC daemon:
max_life = 14h 0m 0s
2) Via "kadmin", changed the "maxlife" for a test principal via "modprinc -maxlife 14hours ".
"getprinc " shows that the maximum ticket life is indeed 14 hours: Maximum ticket life: 0 days 14:00:00
3) On a Kerberos client machine, set the following parameters under [libdefaults], [realms], [domain_realm], and [login] in /etc/krb5.conf (everywhere basically since nothing I tried had worked):
ticket_lifetime = 13hrs default_lifetime = 13hrs
With the above settings, I suppose that the ticket lifetime would be capped at 13 hours. When I do "k5start -l 14h -t ", I see that the end time for the "renew until" line is now 14 hours from the starting time:
Valid starting Expires Service principal 04/13/10 16:42:05 04/14/10 02:42:05 krbtgt/@ renew until 04/14/10 06:42:03
"-l 13h" would make the end time in the "renew until" line 13 hours after the starting time.
However, the ticket still expires in 10 hours (04/13 16:42:05 - 014/14 02:42:05).
Am I not changing the right configuration file(s)/parameter(s), not specifying the right option when obtaining a Kerberos ticket, or something else?
Any feedback is greatly appreciated! Thank you!
© Server Fault or respective owner