When working with MIT Kerberos 5, ticket lifetime is determined by a cascading set of configurations. The effective lifetime is the minimum value among:
- Client's requested lifetime (if specified)
- Service principal's max life setting
- KDC's maximum ticket lifetime (max_life in kdc.conf)
- Realm's default ticket lifetime
Here's the proper sequence to modify ticket lifetime across your Kerberos infrastructure:
1. KDC Server Configuration
# /etc/krb5kdc/kdc.conf
[realms]
EXAMPLE.COM = {
max_life = 14h 0m 0s
max_renewable_life = 7d
default_principal_flags = +renewable
}
After modifying, restart the KDC service:
sudo systemctl restart krb5-kdc2. Principal Modification
Update both service principals and user principals:
kadmin.local -q "modprinc -maxlife 14hours krbtgt/EXAMPLE.COM@EXAMPLE.COM"
kadmin.local -q "modprinc -maxlife 14hours user/principal@EXAMPLE.COM"3. Client Configuration
For consistent behavior across clients:
# /etc/krb5.conf
[libdefaults]
default_lifetime = 13h
ticket_lifetime = 13h
[realms]
EXAMPLE.COM = {
kdc = kdc1.example.com
admin_server = kdc1.example.com
default_lifetime = 13h
max_lifetime = 14h
}
To verify your changes:
# Request a ticket with explicit lifetime
kinit -l 13h30m principal@EXAMPLE.COM
# Check ticket details
klist
# Expected output:
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: principal@EXAMPLE.COM
Valid starting Expires Service principal
04/14/2023 10:00:00 04/14/2023 23:30:00 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 04/21/2023 10:00:00If changes aren't taking effect:
- Verify all KDCs in the realm have consistent configurations
- Check for conflicting settings in /etc/krb5.conf.d/ directory
- Ensure no SELinux/AppArmor policies are interfering
- Check KDC logs (/var/log/krb5kdc.log) for errors
For more granular control, consider:
# Per-service ticket policies
kadmin.local -q "addpol -maxlife 8h short-lived-services"
kadmin.local -q "modprinc -policy short-lived-services service/ssh@EXAMPLE.COM"
# Renewable tickets configuration
kinit -r 7d -l 13h principal@EXAMPLE.COMMany administrators working with MIT Kerberos 5 encounter this scenario: despite configuring max_life in kdc.conf and setting principal policies, tickets stubbornly default to 10 hours. Here's what's really happening under the hood.
To properly modify ticket lifetimes, you must coordinate settings across these components:
# /etc/krb5kdc/kdc.conf (KDC Server)
[realms]
EXAMPLE.COM = {
max_life = 14h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
# /etc/krb5.conf (Client)
[libdefaults]
default_life = 13h
default_renew_life = 7d
Even with correct KDC settings, individual principals need explicit policy updates:
kadmin: modprinc -maxlife "14 hours" -maxrenewlife "7 days" testuser@EXAMPLE.COM
kadmin: getprinc testuser@EXAMPLE.COM
Attributes: DISALLOW_FORWARDABLE
Policy: [none]
Maximum ticket life: 0 days 14:00:00
Maximum renewable life: 7 days 00:00:00
Test your configuration with these diagnostic tools:
# Check actual ticket lifetime
kinit -l 13h testuser
klist
# Verify KDC defaults
kadmin -q "getpol default"
When dealing with trust relationships, the shortest lifetime wins. For cross-realm tickets:
# Check inter-realm constraints
kadmin -q "get_principal krbtgt/OTHERREALM@EXAMPLE.COM"
For Ubuntu Hardy+ systems using systemd:
# /etc/systemd/system/krb5-kdc.service.d/override.conf
[Service]
RestartSec=5
ExecStartPre=/usr/sbin/kdb5_util -P changeme stash
| Symptom | Solution |
|---|---|
| Changes not applying after restart | Verify krb5kdc process actually reloaded with ps aux | grep krb5kdc |
| Only some principals affected | Check individual principal policies with getprinc |
| Client still gets 10-hour tickets | Confirm client's krb5.conf doesn't have overriding defaults |