On Friday, July 06, 2012 3:31:08 AM, Jayen Ashar wrote: > How can I do a life of unlimited (with krb5)? I made the > modifications to the kdc.conf file so max_life and max_renewable_life > are both "0d". I set the lifetime on all the principals in the krb5 > database and changed the configuration of pam_krb5afs in the krb5.conf > file to reflect these changes. I can see the afs service ticket and > token expire on 03:14:07 UTC on Tuesday, 19 January 2038 (which I > assume represents "unlimited"). The openafs server is, however, > rejecting the token outright.
The code in question is tkt_DecodeTicket5() in src/rxkad/ticket5.c and
tkt_CheckTimes() in src/rxkad/ticket.c. If the 'end' value is not
exactly NEVERDATE (0xFFFFFFFF) and ('end' - 'start' is greater than
30 days, the token will be rejected.
signature.asc
Description: OpenPGP digital signature
