On Fri, 15 Nov 2002, Ken Hornstein wrote: > > - Unless you are using the server principals to get tickets, I > > don't see any reason to reset those values. Yes, you will get > > service tickets with a shorter lifetime, but so what? As long > > as you have a krbtgt you can get all the service tickets you > > need[1]. > > Have you ever actually done this? It completely sucks. The problem is > that the expiration time for a service ticket is calculated based on > the start time of the TGT plus minimum of the service ticket lifetime, > TGT lifetime, and max realm lifetime[1]. _This_ means that if you have a > TGT with a ten hour lifetime, and your service ticket is only good for > 5 hours, your service ticket will only be good for 5 hours ...
- That part I knew. > and you > CANNOT get a new ticket for that service without acquiring a new TGT. > - Um, that seems very broken. Is the problem just that the mk_req routines are not checking the expiration time of the existing service ticket? - Booker C. Bense ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
