I am using MIT kerberos 5 on my machine to authenticate a user. This grants the ticket to the user. I want to reset the maxlife of a ticket for more than 24 hrs. By default the max life of a kerberos ticket is 24 hrs. I have tried the following steps:
- Changed the
/var/kerberos/krb5kdc/kdc.confI did not find max-life so I setmax_life = 168h 0m 0s - Changed the
/etc/krb5.confChanged the default ticket_lifetime from 24 hrs toticket_lifetime = 168h 0m 0s - By default the principal lifetime is Maximum ticket life: 1 days 00:00:00
I changed it to 168h with the following command
kadmin.local: modify_principal -maxlife 168hours testkerbIt changed to - Maximum ticket life: 7 days 00:00:00
- Then I did a
kinitfor the user and check withklist.
The klist result still shows the ticket life as 24 hrs. Output of klist is as follows:
Valid starting Expires Service principal
**11/19/14 12:51:59 11/20/14 12:51:59 krbtgt/[email protected]**
renew until 11/19/14 12:51:59
If someone knows please tell me where am I doing the mistake. Less than 24 hrs I am able to change the ticket life but more than 24 hrs it does not reflect in the klist. I would appreciate the help.
Hi i got the working step so updating it. To change the max-lifetime of a ticket in kerberos from default 24 hrs to more than 24 hrs follow the following steps:
Add the
max_lifeproperty to the/var/kerberos/krb5kdc/kdc.conffile.Changed the
/etc/krb5.conffile.Changed the default principal
krbtgt/[email protected]Maximum Life Time.Now we can set the ticket life up to 7 days i.e. 168 hrs. We can do
kinitfor user and check the expiry of the ticket byklist.You can also use the
kadmincommand andgetprincto see the state of the principal.