How to Change the Kerberos Default Ticket Lifetime

kerberos

Turns out that I also had to change the "maxlife" parameter for the service principal as well. Specifically, I had to do "modprinc -maxlife 14hours krbtgt/[REALM_in_CAPS]" to get the lifetime increased to 14 hours.

To sum up, the ticket lifetime is the minimum of the following values:

  • max_life in kdc.conf on the KDC servers.

  • ticket_lifetime in krb5.conf on the client machine.

  • maxlife for the user principal.

  • maxlife for the service principal "krbtgt/[REALM_in_CAPS]" => What I had missed!

  • requested lifetime in the ticket request. For example:

    • k5start -l 14h
    • kinit -l 14h

  • maxlife for the AFS service principal "afs/[realm_in_lower_case]", if you want to increase the lifetime of your AFS token.

Mystery solved!

Related

Remote Root Login
Open source backup solution for windows, mac and linux [closed]
Improving speed of large file transfer over high latency link
systemd-networkd and direct routes
Is there a way to delete 100GB file on Linux without thrashing IO / load?
Find the php script thats sending mails
Bypass openvpn for particular ip
How should I copy my VM templates between vSphere datacenters?
How do I configure Nagios mobile / SMS alerts? [closed]
How do you passthrough native SATA drives to a guest on ESXi?
Nginx appends the path given in the URI
Event Id 4625 without Source IP