subject:"How do I change the ticket lifetime in the default policy\?"

Re: How do I change the ticket lifetime in the default policy?

2009-02-18 Thread Kevin Coffman

On Tue, Feb 17, 2009 at 4:49 PM, Jason Edgecombe
 wrote:
> Russ Allbery wrote:
>> Jason Edgecombe  writes:
>>
>>
>>> We are extending the ticket lifetime for all of the users in our realm
>>> from 1 day to 7 days. We use MIT Kerberos in our realm. I know that
>>> "modprinc -maxlife 7day u...@realm.com" will extend the ticket lifetime
>>> for an existing user, but how to I make it the default for new users?
>>>
>>
>> I believe the default for new users is taken from the max_life setting in
>> kdc.conf.
>>
>>
> hmm,
>
> my kdc.conf already has "max_life = 7d 0h 0m 0s" and the users don;t get
> 7 day tickets by default. Am I missing something?

The ticket lifetime is the minimum of 4 values:
1) maxlife for the user principal
2) maxlife for the service [principal]
3) max_life in the kdc.conf
4) requested lifetime in the ticket request

Sounds like you have changed 1) and 3).  You'll also need to modify
the maxlife for principal krbtgt/@ to get TGTs with a
longer lifetime.  (You will have to alter other service principals if
you want to issue service tickets with longer lifetimes for those
services.)

I believe there is a default (requested) lifetime in kinit as well, so
you may need to specify a longer requested lifetime there ("kinit -l
7d").

K.C.

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: How do I change the ticket lifetime in the default policy?

2009-02-17 Thread Jason Edgecombe

Kevin Coffman wrote:
> On Tue, Feb 17, 2009 at 4:49 PM, Jason Edgecombe
>  wrote:
>   
>> Russ Allbery wrote:
>> 
>>> Jason Edgecombe  writes:
>>>
>>>
>>>   
 We are extending the ticket lifetime for all of the users in our realm
 from 1 day to 7 days. We use MIT Kerberos in our realm. I know that
 "modprinc -maxlife 7day u...@realm.com" will extend the ticket lifetime
 for an existing user, but how to I make it the default for new users?

 
>>> I believe the default for new users is taken from the max_life setting in
>>> kdc.conf.
>>>
>>>
>>>   
>> hmm,
>>
>> my kdc.conf already has "max_life = 7d 0h 0m 0s" and the users don;t get
>> 7 day tickets by default. Am I missing something?
>> 
>
> The ticket lifetime is the minimum of 4 values:
> 1) maxlife for the user principal
> 2) maxlife for the service [principal]
> 3) max_life in the kdc.conf
> 4) requested lifetime in the ticket request
>
> Sounds like you have changed 1) and 3).  You'll also need to modify
> the maxlife for principal krbtgt/@ to get TGTs with a
> longer lifetime.  (You will have to alter other service principals if
> you want to issue service tickets with longer lifetimes for those
> services.)
>
> I believe there is a default (requested) lifetime in kinit as well, so
> you may need to specify a longer requested lifetime there ("kinit -l
> 7d").
>   
I can already get a 7 day ticket length when I kinit because my 
principal is set for 7 days lifetime. That works. I'm just wondering how 
I can run "addprinc user -maxlife 7day" without having to specify 
"-maxlife 7day" or modprinc user -maxlife 7day after the addprinc.

Thanks,
Jason

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: How do I change the ticket lifetime in the default policy?

2009-02-17 Thread Jason Edgecombe

Russ Allbery wrote:
> Jason Edgecombe  writes:
>
>   
>> We are extending the ticket lifetime for all of the users in our realm
>> from 1 day to 7 days. We use MIT Kerberos in our realm. I know that
>> "modprinc -maxlife 7day u...@realm.com" will extend the ticket lifetime
>> for an existing user, but how to I make it the default for new users?
>> 
>
> I believe the default for new users is taken from the max_life setting in
> kdc.conf.
>
>   
hmm,

my kdc.conf already has "max_life = 7d 0h 0m 0s" and the users don;t get
7 day tickets by default. Am I missing something?

Thanks,
Jason

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: How do I change the ticket lifetime in the default policy?

2009-02-17 Thread Russ Allbery

Jason Edgecombe  writes:

> We are extending the ticket lifetime for all of the users in our realm
> from 1 day to 7 days. We use MIT Kerberos in our realm. I know that
> "modprinc -maxlife 7day u...@realm.com" will extend the ticket lifetime
> for an existing user, but how to I make it the default for new users?

I believe the default for new users is taken from the max_life setting in
kdc.conf.

-- 
Russ Allbery (r...@stanford.edu) 

Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

How do I change the ticket lifetime in the default policy?

2009-02-17 Thread Jason Edgecombe

Hi everyone,

We are extending the ticket lifetime for all of the users in our realm
from 1 day to 7 days. We use MIT Kerberos in our realm. I know that
"modprinc -maxlife 7day u...@realm.com" will extend the ticket lifetime
for an existing user, but how to I make it the default for new users?

To handle our existing users, I plan to script the modprinc command for
all of our users. the users have a mix of ticket lifetimes from 1day to
7 days. Is there a more elegant way than to run modprinc on everybody?

Thanks,
Jason


Kerberos mailing list   Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Re: How do I change the ticket lifetime in the default policy?

Re: How do I change the ticket lifetime in the default policy?

Re: How do I change the ticket lifetime in the default policy?

Re: How do I change the ticket lifetime in the default policy?

How do I change the ticket lifetime in the default policy?

5 matches

Site Navigation

Mail list logo

Footer information