Kerberos - Maximum renewable lifetime

Question

I am trying to set the maximum renewable lifetime of the issued Kerberos tickets to 365 days, however, the following changes that I have made seem to be ignored:

Inside /etc/krb5.conf:

[libdefaults]
...
    renew_lifetime = 365d
...

[appdefaults]
    pam = {
    ...
       renew_lifetime = 365d 
    ...
    }

Within a kadmin session:

kadmin:  modprinc -maxrenewlife 365day krbtgt/REALM
kadmin:  modprinc -maxrenewlife 365day stefan

I then proceeded to issue a new ticket via kinit:

$ kinit -r 365d

However, the resulting ticket has a renew lifetime of 7 days only:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: stefan@REALM

Valid starting       Expires              Service principal
2017-03-09 21:15:31  2017-03-10 09:15:31  krbtgt/REALM@REALM
    renew until 2017-03-16 21:15:31

Did I miss something? I am using MIT Kerberos Version 1.13.7.

EDIT: I solved the problem by adding the max_renewable_life parameter to the realms section.

score 2 · Accepted Answer · answered Mar 12 '17 at 10:03

2

I solved the problem by adding the max_renewable_life parameter to the realms section.

[realms]
    REALM = {
        ...
        max_renewable_life = 365d
    }

answered Mar 12 '17 at 10:03

sacrum_victum

61
1
5

Kerberos - Maximum renewable lifetime

1 Answers1