ITEM: M2149L

Howto extend ticket lifetimes in DCE

Question:

The customer has AIX 3.2.5 and DCE 1.2 installed.
He cannot get a DCE ticket for a principal to go beyond 10
hours. He has set several variables to change the number of hours and
has logged out and logged back in, with no effect. 

The customer increased the maximum ticket lifetime for the registry
to 720 hours and then set the account max ticket lifetime to 720 hours.
When the customer logs in as the DCE principal, it still shows a ticket
lifetime of 10 hours which was the default.

Response:

In order to increase the default ticket lifetime for a DCE principal
the following steps should be followed:

 
- set rgy_edit authentication Policy max certificate lifetime >= 30 days
- set rgy_edit properties Default Certificate lifetime  >= 30 days
- set account krbtgt/cellname Max certificate lieftime >= 30 days
  (by default, krbtgt/cellname is synced to the properties Default)
- Then for ALL other DCE principals that need shorter ticket lifetimes
  change their account Max certificate lifetime back to about 10 hours)

The ticket lifetime for a DCE principal will be set to the smallest
lifetime of the above parameters. 

Note:

Be careful when extending the default ticket lifetime to more than
127 days. Many DCE servers use keytab files to authenticate, and will
change their keytab password every 12 hours (e.g. Encina).
If the default ticket lifetime is greater than 127 days, it is possible 
that keytab entries can fill up before keytab management routines can 
clean up old keytab entries.



Support Line: Howto extend ticket lifetimes in DCE  ITEM: M2149L

Dated: November 1994 Category: N/A

This HTML file was generated 99/06/24~13:30:40

Comments or suggestions?
Contact us