Administration
Manual Administration Using kadmin
You may choose to set a maximum ticket lifetime for the default group template that is different than the krbtgt/ principal if you plan to enter a block of users that should have restricted ticket lifetimes. After the block of user principals are added, you can alter the default group setting again.
This attribute cannot be set with
Maximum Renew Time Attribute
The Maximum Renew Time controls the renew time limit for renewable tickets. If this renew time is set to a time longer than the renew time assigned to the krbtgt/REALM@REALM principal, the settings on the krbtgt/ principal take precedence.
This attribute cannot be set with
Key Type Attribute
The key type used to generate a secret key is an important security decision.
Each principal can be associated with two different secret keys. These are called the primary and secondary keys. Each key is associated with an encryption type. The encryption type designates the encryption algorithm used to generate the secret key. The three supported encryption types are:
•
•
•
This attribute cannot be set with
Salt Type Attribute
A salt is a string of characters added to the beginning of a password before it is transformed into a secret key. Salts strengthen passwords and ensure that principals with the same password do not have the same key. Salt settings apply only to user principals; service principals use a random key, and as such do not require a designated salt (they use a salt type of None).
Salt type settings are controlled through the Password tab of the
Principal Information window in Administrator.
188 | Chapter 6 |