Ticket Lifetimes
Any time a principal obtains a ticket, including a ticket–granting ticket (TGT), the ticket's lifetime is set as the smallest of the following lifetime values:
-
The lifetime value that is specified by the -l option of kinit, if kinit is used to get the ticket. By default, kinit used the maximum lifetime value.
-
The maximum lifetime value (max_life) that is specified in the kdc.conf file.
-
The maximum lifetime value that is specified in the Kerberos database for the service principal that provides the ticket. In the case of kinit, the service principal is krbtgt/realm.
-
The maximum lifetime value that is specified in the Kerberos database for the user principal that requests the ticket.
Figure 27–1 shows how a TGT's lifetime is determined and where the four lifetime values come from. Even though this figure shows how a TGT's lifetime is determined, basically the same thing happens when any principal obtains a ticket. The only differences are that kinit doesn't provide a lifetime value, and the service principal that provides the ticket provides a maximum lifetime value (instead of the krbtgt/realm principal).
Figure 27–1 How a TGT's Lifetime is Determined
The renewable ticket lifetime is also determined from the minimum of four values, but renewable lifetime values are used instead, as follows:
-
The renewable lifetime value that is specified by the -r option of kinit, if kinit is used to obtain or renew the ticket.
-
The maximum renewable lifetime value (max_renewable_life) that is specified in the kdc.conf file.
-
The maximum lifetime renewable value that is specified in the Kerberos database for the service principal that provides the ticket. In the case of kinit, the service principal is krbtgt/realm.
-
The maximum lifetime renewable value that is specified in the Kerberos database for the user principal that requests the ticket.
- © 2010, Oracle Corporation and/or its affiliates