renewable in krb5.conf
jaltman at secure-endpoints.com
Thu Mar 15 11:44:36 CET 2018
On 3/15/2018 4:57 AM, Andreas Haupt wrote:
> Hi Harald,
> On Thu, 2018-03-15 at 09:30 +0100, Harald Barth wrote:
>> Is there really no way to make kinit have "renewable" as default (like
>> "forwardable" in [libdefaults] in /etc/krb5.conf)?
>> If no, is there any good reason for it?
> We have:
> renew_lifetime = 30d
You also need to specify
renewable = true
if you want all tickets to be requested as renewable. renew_lifetime
simply sets the default renew lifetime to request.
As far as I am concerned the client should always request the maximum
supported "lifetime" and "renew_lifetime" in order to permit the KDC
settings to take precedence.
Unfortunately, KDC implementation choices mean that there is no well
defined value for maximum lifetime and renew_lifetime. 180 days appears
to be safe enough.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4080 bytes
Desc: S/MIME Cryptographic Signature
More information about the Heimdal-discuss