On 3/15/2018 4:57 AM, Andreas Haupt wrote:
> Hi Harald,
> On Thu, 2018-03-15 at 09:30 +0100, Harald Barth wrote:
>> Is there really no way to make kinit have "renewable" as default (like
>> "forwardable" in [libdefaults] in /etc/krb5.conf)?
>> If no, is there any good reason for it?
> We have:
> [libdefaults]
>       renew_lifetime = 30d

You also need to specify

   renewable = true

if you want all tickets to be requested as renewable.   renew_lifetime
simply sets the default renew lifetime to request.

As far as I am concerned the client should always request the maximum
supported "lifetime" and "renew_lifetime" in order to permit the KDC
settings to take precedence.

Unfortunately, KDC implementation choices mean that there is no well
defined value for maximum lifetime and renew_lifetime.  180 days appears
to be safe enough.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to