Re: Extending Kerberos ticket lifetime?

By the way, as an addendum to my earlier post, I was recently doing something else in my LDAP directory when I discovered that these types of multi-line edits can be done directly within the OS X Server Workgroup Manager--no need to use LDAP Studio or anything. What a time saver! I can't believe I overlooked it for all this time! Just make sure you have the Inspector enabled in Workgroup Manager and view the Config section. The Inspector is that little target-shaped tab to the right of Users, Groups and Machines. Inside the Config section you will see your KerberosKDC configuration. Select apple-kdc-configdata and hit the Edit... button. Obviously, to do this, you would need to be authenticated as an Open Directory administrator. Note: You can also edit your apple-xmlplist within cn=Config,cn=KerberosClient if you would like to add something like ticket_lifetime and renew_lifetime to your libdefaults (note that these durations should be specified as 30s or 15m or 10h or 1d). This gets transformed and pushed to your OS X clients as the /Library/Preferences/edu.mit.kerberos file. Additionally, if you are curious about how to enable your screen saver to renew or request tickets when password protected, there is a great tip in the macosxhints forum about [url=http://forums.macosxhints.com/showthread.php?t=40129]how to modify your /etc/authorization file[/url] on your client machines. Cheers, Daron Kallan New York, NY USA