On Thu, 2002-11-14 at 17:34, Booker Bense wrote: > - Unless you are using the server principals to get tickets, I > don't see any reason to reset those values. Yes, you will get > service tickets with a shorter lifetime, but so what? As long > as you have a krbtgt you can get all the service tickets you > need[1].
You might need to up the lifetimes on the service principals (and thus the service tickets you get to talk to those principals) if your application uses GSS-API and doesn't know to renegotiate a security context when one expires (which apparently many don't). This should probably be rare for GSS-API apps that were written with Kerberos in mind. See a discussion on the IETF krb-wg mailing list for details; subject was "Can Authorization Data be retrieved through GSSAPI?" and it was on Feb 15-19 2002. In particular an exchange between Sam Hartman and Martin Rex on 19 Feb. (Ken, I can forward the exchange to you if it would help in writing the FAQ entry.) In any case, you probably only need to do that for the service principals used by the servers for those particular applications, not all service principals in general. -- Ben ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
