8

Our KDC servers are running either Ubuntu Dapper (2.6.15-28) or Hardy (2.6.24-19). The Kerberos software is the MIT implementation of Kerberos 5. By default, a Kerberos ticket lasts for 10 hours. However, we'd like to increase it a bit (e.g. 14 hours) to suit our needs better. I had done the following but the ticket lifetime still stays at 10 hours:

  1. On all the KDC servers, set the following parameter under "[realms]" in /etc/krb5kdc/kdc.conf and restarted the KDC daemon:

    max_life = 14h 0m 0s
    
  2. Via "kadmin", changed the "maxlife" for a test principal via "modprinc -maxlife 14hours ".

    "getprinc " shows that the maximum ticket life is indeed 14 hours: Maximum ticket life: 0 days 14:00:00

  3. On a Kerberos client machine, set the following parameters under [libdefaults], [realms], [domain_realm], and [login] in /etc/krb5.conf (everywhere basically since nothing I tried had worked):

    ticket_lifetime = 13hrs
    default_lifetime = 13hrs
    

With the above settings, I suppose that the ticket lifetime would be capped at 13 hours. When I do k5start -l 14h -t <principal>, I see that the end time for the "renew until" line is now 14 hours from the starting time:

Valid starting     Expires            Service principal
04/13/10 16:42:05  04/14/10 02:42:05  krbtgt/<realm>@<realm>
 renew until 04/14/10 06:42:03

"-l 13h" would make the end time in the "renew until" line 13 hours after the starting time.

However, the ticket still expires in 10 hours (04/13 16:42:05 - 014/14 02:42:05).

Am I not changing the right configuration file(s)/parameter(s), not specifying the right option when obtaining a Kerberos ticket, or something else?

slm
  • 7,355
  • 16
  • 54
  • 72
user40497
  • 201
  • 1
  • 2
  • 5

1 Answers1

12

Turns out that I also had to change the "maxlife" parameter for the service principal as well. Specifically, I had to do "modprinc -maxlife 14hours krbtgt/[REALM_in_CAPS]" to get the lifetime increased to 14 hours.

To sum up, the ticket lifetime is the minimum of the following values:

  • max_life in kdc.conf on the KDC servers.

  • ticket_lifetime in krb5.conf on the client machine.

  • maxlife for the user principal.

  • maxlife for the service principal "krbtgt/[REALM_in_CAPS]" => What I had missed!

  • requested lifetime in the ticket request. For example:

    • k5start -l 14h
    • kinit -l 14h
  • maxlife for the AFS service principal "afs/[realm_in_lower_case]", if you want to increase the lifetime of your AFS token.

Mystery solved!

slm
  • 7,355
  • 16
  • 54
  • 72
user40497
  • 201
  • 1
  • 2
  • 5
  • what other lifetime settings are involved when the user principal is in a different realm than the service principal and there is a one-way trust from the service realm to the user's realm? – Jayen Jul 04 '12 at 00:39
  • can you provide your full example @user40497? – christopher clark Feb 21 '20 at 14:57
  • For the users of Heimdal, only changing maxlife for the principals are enough (unless you set it in the .conf) – Braiam Jun 19 '21 at 18:24