Ticket Lifetimes
Any time a principal obtains a ticket, including a ticket-granting ticket, the ticket's lifetime is set as the smallest of the following lifetime values:
-
The lifetime value specified by the -l option of kinit, if kinit is used to get the ticket
-
The maximum lifetime value (max_life) specified in the kdc.conf file
-
The maximum lifetime value specified in the Kerberos database for the service principal providing the ticket. (In the case of kinit, the service principal is krbtgt/realm)
-
The maximum lifetime value specified in the Kerberos database for the user principal requesting the ticket.
Figure 7-1 shows how a TGT's lifetime is determined and illustrates where the four lifetime values come from. Even though Figure 7-1 shows how a TGT's lifetime is determined, basically the same thing happens when any principal obtains a ticket. The only differences are that kinit doesn't provide a lifetime value, and the service principal providing the ticket provides a maximum lifetime value (instead of the krbtgt/realm principal).
Figure 7-1 How a TGT's Lifetime is Determined
The renewable ticket lifetime is also determined from the minimum of four values, but renewable lifetime values are used instead:
-
The renewable lifetime value specified by the -r option of kinit, if kinit is used to obtain or renew the ticket
-
The maximum renewable lifetime value (max_renewable_life) specified in the kdc.conf file
-
The maximum lifetime renewable value specified in the Kerberos database for the service principal providing the ticket (In the case of kinit, the service principal is krbtgt/realm)
-
The maximum lifetime renewable value specified in the Kerberos database for the user principal requesting the ticket
- © 2010, Oracle Corporation and/or its affiliates