Kevin Coffman wrote: > On Tue, Feb 17, 2009 at 4:49 PM, Jason Edgecombe > <[email protected]> wrote: > >> Russ Allbery wrote: >> >>> Jason Edgecombe <[email protected]> writes: >>> >>> >>> >>>> We are extending the ticket lifetime for all of the users in our realm >>>> from 1 day to 7 days. We use MIT Kerberos in our realm. I know that >>>> "modprinc -maxlife 7day [email protected]" will extend the ticket lifetime >>>> for an existing user, but how to I make it the default for new users? >>>> >>>> >>> I believe the default for new users is taken from the max_life setting in >>> kdc.conf. >>> >>> >>> >> hmm, >> >> my kdc.conf already has "max_life = 7d 0h 0m 0s" and the users don;t get >> 7 day tickets by default. Am I missing something? >> > > The ticket lifetime is the minimum of 4 values: > 1) maxlife for the user principal > 2) maxlife for the service [principal] > 3) max_life in the kdc.conf > 4) requested lifetime in the ticket request > > Sounds like you have changed 1) and 3). You'll also need to modify > the maxlife for principal krbtgt/<REALM>@<REALM> to get TGTs with a > longer lifetime. (You will have to alter other service principals if > you want to issue service tickets with longer lifetimes for those > services.) > > I believe there is a default (requested) lifetime in kinit as well, so > you may need to specify a longer requested lifetime there ("kinit -l > 7d"). > I can already get a 7 day ticket length when I kinit because my principal is set for 7 days lifetime. That works. I'm just wondering how I can run "addprinc user -maxlife 7day" without having to specify "-maxlife 7day" or modprinc user -maxlife 7day after the addprinc.
Thanks, Jason ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
