Ticket lifetime## 标题 ##
Kerberos ticket具有lifetime,超过此时间则ticket就会过期,需要重新申请或者renew。Ticket lifetime取决于以下5项设置中的最小值:
1.kerberos Server上的/var/kerberos/krb5kdbc/kdc.conf中的max_life
2.内置principal krbtgt的maxmum ticket life,可在kadmin命令下执行getprinc命令查看
3.Principal的maximum tiket life time,在kadmin命令下用getprinc命令查看,示例:
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 0 days 00:00:00
4.kerberos client上/etc/krb5.conf的ticket_lifetime
ticket_lifetime = 24h
5.kinit –l参数后面指定的时间,示例:
要获得一个生命期为 10 小时五天内可更新的票据授权票据,请输入:
kinit -l 10h -r 5d my_principal
要更新一个存在票据,请输入:
kinit -R
延长ticket时间操作:
1) /var/kerberos/krb5kdbc/kdc.conf中的max_life
[realms]
HKDC = {
……
max_life = 5d
max_renewable_life = 10d
}
2) 内置principal krbtgt的maxmum ticket life
modprinc -maxlife 2days krbtgt/HKDC@HKDC
3) Principal的maximum tiket life time
modprinc -maxlife 2days hbase/fys1.cmss.com@HKDC
修改示例如下:
kadmin.local: getprinc hbase/fys1.cmss.com@HKDC
Principal: hbase/fys1.cmss.com@HKDC
Maximum ticket life: 2 days 00:00:00
Maximum renewable life: 2 days 00:00:00
4) /etc/krb5.conf的ticket_lifetime
[libdefaults]
renew_lifetime = 7d
ticket_lifetime = 2d
获取ticket时间如下:
kinit -kt hbase.service.keytab hbase/fys1.cmss.com@HKDC
lifetime如下:
[root@fys1 keytabs]# klist
Default principal: hbase/fys1.cmss.com@HKDC
Valid starting Expires Service principal
09/11/17 16:22:47 09/13/17 16:22:47 krbtgt/HKDC@HKDC
Ticket生命周期为两天
5) kinit –l指定ticket时间
命令如下:
kadmin: modprinc -maxrenewlife 11days +allow_renewable {principal}
kadmin: modprinc -maxlife 6minutes {principal}
kadmin: getprinc {principal} //retrieve the detail info of principal
kinit -R //renew current ticket
kinit {principal} -kt {keytab file} //init a principal via keytab file