My Oracle Support Banner

Kerberos ticket_lifetime parameter set value is not working. (Doc ID 2993139.1)

Last updated on FEBRUARY 01, 2024

Applies to:

Advanced Networking Option - Version 19.17.0.0.0 and later
Information in this document applies to any platform.

Goal

1) We can set Kerberos user ticket expiry time to X value using below parameter on krb5.conf file

[libdefaults]

ticket_lifetime = 24h <<<<<<<<<<<<< Which is set to 24h (1day)
renew_lifetime = 7d <<<<<<<<<<<<<

 

For any Kerberos ticket, the 'ticket_lifetime' (usually 1 day) is the time for which that particular ticket is valid. Once the ticket gets invalid, there is an option (kinit -R) to renew it. User can keep renewing her ticket this way till 'renew_lifetime' time (usually 7 days). The 'renew_lifetime' is calculated from the time the ticket was first acquired.

After 'renew_lifetime' is over, a ticket can not be used anymore and a fresh ticket is required to be taken.

 

2) Sometimes we observe the value set ticket_lifetime is not working and the user ticket gets expired before x value set

Below example ticket getting expired within 10 hours.

[oracle@test-oracle19 ~]$ oklist

Kerberos Utilities for Linux: Version 19.0.0.0.0 - Production on 10-NOV-2023 14:49:28

Copyright (c) 1996, 2019 Oracle. All rights reserved.

Configuration file : /etc/krb5.conf.
Ticket cache: FILE:/tmp/krb.cc
Default principal: xx@oracle.com

Valid starting Expires Service principal
11/10/23 14:49:19 11/11/23 00:49:19 krbtgt/xx.COM.xx@xx.COM.xx <<<<<<<<<<<<<<<<<<<<<< 10 hours later Expires
renew until 11/17/23 14:49:15

 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.