I am trying to set the maximum renewable lifetime of the issued Kerberos tickets to 365 days, however, the following changes that I have made seem to be ignored:
Inside /etc/krb5.conf:
[libdefaults]
...
renew_lifetime = 365d
...
[appdefaults]
pam = {
...
renew_lifetime = 365d
...
}
Within a kadmin session:
kadmin: modprinc -maxrenewlife 365day krbtgt/REALM
kadmin: modprinc -maxrenewlife 365day stefan
I then proceeded to issue a new ticket via kinit:
$ kinit -r 365d
However, the resulting ticket has a renew lifetime of 7 days only:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: stefan@REALM
Valid starting Expires Service principal
2017-03-09 21:15:31 2017-03-10 09:15:31 krbtgt/REALM@REALM
renew until 2017-03-16 21:15:31
Did I miss something? I am using MIT Kerberos Version 1.13.7.
EDIT: I solved the problem by adding the max_renewable_life parameter to the realms section.
Best Answer
I solved the problem by adding the max_renewable_life parameter to the realms section.