[OpenAFS] Lifetime tokens on kerberos authentication against
AD
John W. Sopko Jr.
sopko@cs.unc.edu
Tue, 23 Jan 2007 15:03:23 -0500
> Hello,
>
> Is the a possibillity to change the (default) lifetime of a token when
> there is kerberos authentication against an Active Directory?
>
> If so, how could this be possible?
>
> regards,
> Alexander Al.
I researched and found that you need to change the Group Policy on the
domain cotroller for the following settings that are under the "Windows
Settings +Security Settings +Account Policies +Kerberos Policies".
It is not recommended to make changes in the "Default Domain Policy"
which was not enforced by default.
So I created a new group policy object, edited the Kerberos
settings, then set the enforce option on the object. I can
now get tickets/tokens for whatever I set the times to <|:-)
Policy Setting
Enforce user login restrtictions Enbabled
Maximum lifetime for service ticket 7200 minutes
Maximum lifetime for user ticket 120 hours
Maximum lifetime for user ticket renewal 10 days
Maximum tolerance for computer clock 5 minutes
The defaults are:
Policy Setting
Enforce user login restrtictions Enbabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock 5 minutes
Remember you need to use "kinit -l" option to increase
you tgt lifetime from the default 10 hours when getting
a new tgt.
--
John W. Sopko Jr. University of North Carolina
email: sopko AT cs.unc.edu Computer Science Dept., CB 3175
Phone: 919-962-1844 Sitterson Hall; Room 044
Fax: 919-962-1799 Chapel Hill, NC 27599-3175