Enlarging the maximum renewable lifetime

Enlarging the maximum renewable lifetime
	Renewal of Kerberos tickets

The max renewable lifetime for the default user in our realm is set to a week. Let's make it a year:

Allowing year-long renewable tickets on the server

kadmin> get default@MY.REALM Principal: default@MY.REALM <snip> Max ticket life: 1 day Max renewable life: 1 week <snip> Aliases: kadmin> modify default@MY.REALM Max ticket life [1 day]: Max renewable life [1 week]:1year <snip> kadmin> get default@RUG.NL Principal: default@MY.REALM <snip> Max ticket life: 1 day Max renewable life: 1 year <snip> kadmin>

Note

Note that this affects only new principals, and that it should be done for all principals.

	Note
Note that this affects only new principals, and that it should be done for all principals.

Asking for year-long renewable tickets on the client

In /etc/krb5.conf on the client, put:

<snip>
[appdefaults]
forwardable = true
pam = {
        minimum_uid = 1000000
        renew_lifetime=365d 
        MY.REALM = {
                  ignore_k5login = true
                  debug = true
                 }
      }
<snip>

This is the line that matters

Test login

admin@bosshost:~$ ssh user@host <snip> user@host:~$ klist -v <snip> Auth time: Mar 17 11:36:51 2011 End time: Mar 17 21:36:51 2011 Renew till: Mar 16 11:36:51 2012 <snip>