Re: Extending Kerberos ticket lifetime?

[dkallan]

By the way, as an addendum to my earlier post, I was recently doing something else in my LDAP directory when I discovered that these types of multi-line edits can be done directly within the OS X Server Workgroup Manager–no need to use LDAP Studio or anything. What a time saver! I can’t believe I overlooked it for all this time!

Just make sure you have the Inspector enabled in Workgroup Manager and view the Config section. The Inspector is that little target-shaped tab to the right of Users, Groups and Machines. Inside the Config section you will see your KerberosKDC configuration. Select apple-kdc-configdata and hit the Edit… button. Obviously, to do this, you would need to be authenticated as an Open Directory administrator.

Note: You can also edit your apple-xmlplist within cn=Config,cn=KerberosClient if you would like to add something like ticket_lifetime and renew_lifetime to your libdefaults (note that these durations should be specified as 30s or 15m or 10h or 1d). This gets transformed and pushed to your OS X clients as the /Library/Preferences/edu.mit.kerberos file. Additionally, if you are curious about how to enable your screen saver to renew or request tickets when password protected, there is a great tip in the macosxhints forum about [url=http://forums.macosxhints.com/showthread.php?t=40129]how to modify your /etc/authorization file[/url] on your client machines.

Cheers,

Daron Kallan
New York, NY USA