Setting Ticket Lifetimes
You should be aware of two other options set by the dcecp registry modify command: default ticket lifetimes and minimum ticket lifetime.
· Minimum Ticket Lifetime - The shortest possible lifetime that can be assigned to a ticket. Note that the actual effective value of minimum ticket lifetime is affected by
default certificate lifetime.
· Default Ticket Lifetime - The lifetime granted for tickets, unless the principal specifically requests a different lifetime. Although a principal can request a specific
lifetime for a ticket, the majority accept the default lifetime. (If a principal requests a ticket lifetime of 0 (zero), the default lifetime is assigned to the ticket.)
Note that the actual effective value of default ticket lifetime is affected by maximum certificate lifetime.
The actual lifetimes assigned to tickets depends on rules enforced by the DCE Security Service regarding the settings of maximum ticket lifetime, default ticket lifetime, and minimum ticket lifetime.
These rules are as follows:
· The maximum ticket lifetime can never be larger than the renewable ticket lifetime (in other words, max_life = min (max_life, renewable_life)) or less than 60
seconds. If the maximum ticket lifetime is larger than the renewable ticket lifetime, then the renewable ticket lifetime is used as the maximum ticket lifetime. For example, suppose an account's is
set to 15 hours. If you set the renewable ticket lifetime to 20 hours, the effective maximum ticket lifetime is not 20, but 15 hours.
· The default ticket lifetime can never be larger than the maximum ticket lifetime (in other words, default_life = min (default_life, max_life)) or less than 60
seconds. If the default ticket lifetime is larger than the maximum ticket lifetime, then the maximum ticket lifetime is used as the default ticket lifetime. For example, suppose registry policy
specifies a default ticket lifetime of 25 hours. If you set the registry's maximum ticket lifetime to 15 hours, the registry's effective default certificate lifetime is not 25, but 15 hours.
· The minimum ticket lifetime can never be larger than the default certificate lifetime (in other words, min_life = min (min_life, default_life)) or less than 60
seconds. If the minimum ticket lifetime is larger than the default certificate lifetime, then the default ticket lifetime is used as the minimum ticket lifetime. For example, suppose registry
policy specifies a default ticket lifetime of 10 hours. If you set an account's minimum ticket lifetime to 15 hours, the account's effective minimum ticket lifetime is not 15, but 10 hours.
Although dcecp lets you enter values contrary to the rules and displays these values when you view the account's policies (with the account show command), the values used are the
ones described in the rules, not the ones you entered.
Note: To be exact, clocks in the network must be synchronized for the times that are associated with registry data.
|