Change the default maximum ticket life of a kerberos principal

1
votes

the default maximum life of a kerberos principal is 1 day. How can i change this to more than a day or any configurable value. I am doing the getprinc testkerb and getting the following:

  • kadmin.local: getprinc testkerb
  • Principal: [email protected]
  • Expiration date: [never] Last
  • password change: Tue Nov 18 09:55:08 IST 2014
  • Password expiration date: [none]
  • Maximum ticket life: 1 day 00:00:00
  • Maximum renewable life: 0 days 00:00:00
  • Last modified: Tue Nov 18 09:55:08 IST 2014 (factory/[email protected])
  • Last successful authentication: [never]
  • Last failed authentication: [never]
  • Failed password attempts: 0
  • Number of keys: 6
  • Key: vno 1, aes256-cts-hmac-sha1-96, no salt
  • Key: vno 1, aes128-cts-hmac-sha1-96, no salt
  • Key: vno 1, des3-cbc-sha1, no salt
  • Key: vno 1, arcfour-hmac, no salt
  • Key: vno 1, des-hmac-sha1, no salt
  • Key: vno 1, des-cbc-md5, no salt
  • MKey: vno 1
  • Attributes:
  • Policy: [none]

I want to change the highlighted one.

1
kerberos

1 Answers

1
votes

Hi i got the working step so updating it. To change the max-lifetime of a ticket in kerberos from default 24 hrs to more than 24 hrs follow the following steps:

Add the max_life property to the /var/kerberos/krb5kdc/kdc.conf file. e.g : max_life = 168h 0m 0s
Changed the /etc/krb5.conf file e.g : ticket_lifetime = 168h 0m 0s
Changed the default principal krbtgt/[email protected] Maximum Life Time e.g modprinc -maxlife 168hours krbtgt/[email protected]

Now we can set the ticket life up to 7 days i.e. 168 hrs. We can do kinit for user and check the expiry of the ticket by klist.