[OpenAFS] default token lifetime in Windows OpenAFS client

Dj Merrill deej@thayer.dartmouth.edu
Thu, 13 Oct 2005 14:21:16 -0400


Jeffrey Altman wrote:

> To be honest though.   I don't know what you are attempting to
> acheive here.   If you give permissions for your users to obtain
> TGTs that have lifetimes longer than 25 hours, your users can obtain
> tickets and therefore tokens that have lifetimes longer than 25 hours.
> If you want to only allow a subset of your users to obtain tickets
> with lifetimes longer than 25 hours, you should be placing these
> limits in the KDB.
> 
> The lifetimes set in the registry are defaults that are designed to
> be altered by the end user via Leash and do not apply at all to tickets
> obtained via other tools.


	Correct, we simply want the default token lifetime to
be 25 hours on both our Linux and Windows clients.  If someone wants to
manually obtain a longer lifetime (as some will do to run some of
their computational jobs), they are allowed to do so up to the max that
we have set on the server (30 days).

-Dj