On 3/15/2018 4:57 AM, Andreas Haupt wrote: > Hi Harald, > > On Thu, 2018-03-15 at 09:30 +0100, Harald Barth wrote: >> Is there really no way to make kinit have "renewable" as default (like >> "forwardable" in [libdefaults] in /etc/krb5.conf)? >> >> If no, is there any good reason for it? > > We have: > > [libdefaults] > renew_lifetime = 30d
You also need to specify renewable = true if you want all tickets to be requested as renewable. renew_lifetime simply sets the default renew lifetime to request. As far as I am concerned the client should always request the maximum supported "lifetime" and "renew_lifetime" in order to permit the KDC settings to take precedence. Unfortunately, KDC implementation choices mean that there is no well defined value for maximum lifetime and renew_lifetime. 180 days appears to be safe enough.
Description: S/MIME Cryptographic Signature