>>>>> "Gary" == Gary LaVoy <[EMAIL PROTECTED]> writes:
Gary> It appears that if I change the maxlife parameter in kdc.conf to Gary> something > whatever I had it set for then I originally created the Gary> principal DB, it will not be honored and the maximum life time I can Gary> assign to a user ticket is limited to whatever it was when I set up Gary> the db. [...] Gary> If I COMPLETELY blow away the db and recreate it with kdc.conf set to Gary> 7days from the start, then it will work. The KDC database stores the maximum and renewable maximum lifetimes on a per-principal basis. This is arguably a bug in the design. The KDC will take the smallest of all the involved lifetimes (client, server, any the TGS-REQ ticket) as the lifetime of the issued ticket. You'll have to change the lifetimes on the client principal and the TGT principal, as well as on any service principal you wish to authenticate to. [maybe this should be a FAQ...] ---Tom ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
