[EMAIL PROTECTED] (Nicolas Williams) writes: > Sorry. > > Here's the deal: you must get all the little ducks in a row.
:-) > Specifically, the renewable life is set to be the minimum of: > > - the requested renewable life > - the client principal's max renewable life Played with that, this was even more confusing, after modifying principal and getting tickets - like nothing was modified. > - the service principal's max renewable life > - the max renewable life for the realm (or one day, if not set) I think that places on disk where are kdc.conf and krb5.conf are totaly devasted because of editing. :-) > The principals' max renewable life times are set in the KDB records with > kadmin. By default new principals get a max renewable life of 0 if the > max renewable life for the realm is not set in kdc.conf. The kdb5_util > utility sets the max renewable life for the TGS the same way. > > So, chances are that your krbtgt/<realm>@<realm> has a max renewable > life time of 0. Fix that, and your users' max renew times and you'll be > set. YES! That was a problem. This explanation *must* come in documentation and FAQ's! There is no explanation for that on google web or groups and there are couple of questions like my, but without answer! My [EMAIL PROTECTED] was 10h maxlife and 0 max renewable date. (exactly that was given by kinit to users) Probably I created krbtgt in the beggining of setup and defaults in conf files was not tuned properly yet. After month and half I _finaly_ solved this annoying problem in 2 minutes! - Thanks to you Nicolas. Thank you very much Nicolas! -- This signature intentionally left blank ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
