Github user dyozie commented on a diff in the pull request:
https://github.com/apache/incubator-hawq-docs/pull/131#discussion_r143874681
--- Diff: markdown/clientaccess/kerberos.html.md.erb ---
@@ -515,6 +516,53 @@ Valid starting Expires Service principal
After generating a ticket, you can connect to a HAWQ database as a
kerberos-authenticated user using `psql` or other client programs.
+### <a id="change_ticket"></a>Changing the Ticket Renewal Interval
+
+The lifetime of the Kerberos ticket may need to be changed. The ticket
lifetime is the minimum of the following values:
+
+* `max_life` in `kdc.conf` on the KDC servers.
+* `ticket_lifetime` in `krb5.conf` on the client
+* maxlife for the user principal
+* maxlife for the service principal in krbtgt\[REALM\]
+* maxlife for the AFS service principal "afs/[realm_in_lower_case]"
+* the requested lifetime in the ticket request
+
+**Note:** The kdc.conf file supplements krb5.conf for programs using KDC.
The kdc.conf file contains defaults used when issuing Kerberos tickets, as well
as KDC configuration information.
+
+On starting HAWQ, the Resource Manager initializes the kerberos ticket to
expire after 12 hours. On KDC servers, this interval can be even longer. (Your
specific configuration may differ from these standards, so set the ticket to
renew before your system ticket lifetime.) Reset the
`server_ticket_renew_interval` to renew prior to the default value and restart
the cluster to have the new value take effect.
--- End diff --
12 hours **by default**.
---
