Support Questions

Find answers, ask questions, and share your expertise

Can any please explain me the difference between kerberos ticket_lifetime vs renew_lifetime.

avatar

Hello All,

Can any please explain me the difference between kerberos ticket_lifetime vs renew_lifetime.

Thanks

Niranjan

1 ACCEPTED SOLUTION

avatar
Guru

Hello @Niranjan Rao,

For any Kerberos ticket, the 'ticket_lifetime' (usually 1 day) is the time for which that particular ticket is valid. Once the ticket gets invalid, there is an option (kinit -R) to renew it. User can keep renewing her ticket this way till 'renew_lifetime' time (usually 7 days). The 'renew_lifetime' is calculated from the time the ticket was first acquired.

After 'renew_lifetime' is over, a ticket can not be used anymore and a fresh ticket is required to be taken.

For example, if you acquire a ticket on 1st Jan 00:00:00, it will expire on 1st Jan 23:59:59. You can keep renewing this ticket till 7th Jan 23:59:59. After that, you'll have no choice but to get a new ticket.

Hope this helps !

View solution in original post

3 REPLIES 3

avatar
Guru

Hello @Niranjan Rao,

For any Kerberos ticket, the 'ticket_lifetime' (usually 1 day) is the time for which that particular ticket is valid. Once the ticket gets invalid, there is an option (kinit -R) to renew it. User can keep renewing her ticket this way till 'renew_lifetime' time (usually 7 days). The 'renew_lifetime' is calculated from the time the ticket was first acquired.

After 'renew_lifetime' is over, a ticket can not be used anymore and a fresh ticket is required to be taken.

For example, if you acquire a ticket on 1st Jan 00:00:00, it will expire on 1st Jan 23:59:59. You can keep renewing this ticket till 7th Jan 23:59:59. After that, you'll have no choice but to get a new ticket.

Hope this helps !

avatar
Contributor

Hi,

ticket_lifetime: Every ticket has a life time which is usually less than a day. After this period the ticket considered as expired and you are no longer be able to use your ticket. You have to obtain another one.

The renewable tickets have another property: renew_lifetime:

E.g. if your ticket has 7d renew_lifetime you can renew your ticket (with kinit -R) for 7d without typing you password again and the expiration date will be current date + ticket_lifetime. It is important that you cannot renew an expired ticket.

So you have 24h as ticket_lifetime and 7d as renew_lifetime. If you acquire your ticket on Monday 00:00 you can use your ticket until Tuesday 00:00. Before it expires (before Tuesday) you can renew it with kinit -R (and you have to renew it every day). With other words renew_lifetime is the maximum lifetime of a ticket.

As I mentioned earlier once a ticket expired (by its ticket_lifetime) you cannot renew it.

avatar
Contributor

The purpose of renewable tickets was missed in the provided answers - one renews a ticket in order to avoid the authentication process again. You can issue a renewal request (without authenticating) up until renew_lifetime. Use klist to see the valid/expire/renew timestamps.