How to Change the Kerberos Default Ticket Lifetime

Posted by user40497 on Server Fault See other posts from Server Fault or by user40497
Published on 2010-04-13T21:07:01Z Indexed on 2010/04/13 21:13 UTC
Read the original article Hit count: 445

Filed under:

Our KDC servers are running either Ubuntu Dapper (2.6.15-28) or Hardy (2.6.24-19). The Kerberos software is the MIT implementation of Kerberos 5. By default, a Kerberos ticket lasts for 10 hours. However, we'd like to increase it a bit (e.g. 14 hours) to suit our needs better. I had done the following but the ticket lifetime still stays at 10 hours:

1) On all the KDC servers, set the following parameter under [realms] in /etc/krb5kdc/kdc.conf and restarted the KDC daemon:

max_life = 14h 0m 0s

2) Via "kadmin", changed the "maxlife" for a test principal via "modprinc -maxlife 14hours ".

"getprinc " shows that the maximum ticket life is indeed 14 hours: Maximum ticket life: 0 days 14:00:00

3) On a Kerberos client machine, set the following parameters under [libdefaults], [realms], [domain_realm], and [login] in /etc/krb5.conf (everywhere basically since nothing I tried had worked):

ticket_lifetime = 13hrs default_lifetime = 13hrs

With the above settings, I suppose that the ticket lifetime would be capped at 13 hours. When I do "k5start -l 14h -t ", I see that the end time for the "renew until" line is now 14 hours from the starting time:

Valid starting Expires Service principal 04/13/10 16:42:05 04/14/10 02:42:05 krbtgt/@ renew until 04/14/10 06:42:03

"-l 13h" would make the end time in the "renew until" line 13 hours after the starting time.

However, the ticket still expires in 10 hours (04/13 16:42:05 - 014/14 02:42:05).

Am I not changing the right configuration file(s)/parameter(s), not specifying the right option when obtaining a Kerberos ticket, or something else?

Any feedback is greatly appreciated! Thank you!

© Server Fault or respective owner

Related posts about kerberos