[OpenAFS] OpenAFS + Kerb5: lifetimes
Jeff Blaine
jblaine@kickflop.net
Thu, 12 Jul 2007 23:50:52 -0400
Okay, maxrenewlife changes are in effect and solved the
creds problem, but the fresh token still only has a
lifetime of 24hrs.
[ Thanks for all the replies, BTW ]
Jeffrey Altman wrote:
> Jeff Blaine wrote:
>> This is MIT Kerberos as shipped with RHELv4.
>>
>> ticket_lifetime = 2d in [libdefaults] of krb5.conf buys
>> me nothing. ticket_lifetime is not a documented option
>> for [libdefaults] according to the official MIT docs.
>>
>> ticket_lifetime=2d as an option to pam_krb5RA.so buys
>> me nothing.
>
> Not in the version of Kerberos shipped by Red Hat.
>> Valid starting Expires Service principal
>> 07/12/07 17:25:36 07/13/07 17:25:36 krbtgt/RCF.MITRE.ORG@RCF.MITRE.ORG
>> renew until 07/12/07 17:25:36
>> 07/12/07 17:25:36 07/13/07 17:25:36 afs@RCF.MITRE.ORG
>> renew until 07/12/07 17:25:36
>
> That's because ...
>
>>>>>> Maximum renewable life: 0 days 00:00:00
>
> You are not permitting a renewable ticket lifetime longer than your
> ticket expiration time.
>
>