I have a HTTP service running on my domain. But I have few doubts regarding how the life time for my HTTP service is decided. how long can a client be able to use my HTTP service ?
A Kerberos ticket has a lifetime (e.g. 10 hours) and a renewable lifetime (e.g. 7 days). As long as the ticket is still valid and is still renewable, you can request a "free" renewal -- no password required --, and the lifetime counter is reset (e.g. 10h to go, again).
When creating the ticket, each "lifetime" is set as the MIN() of 3 values:
/etc/krb5.conf (check the MIT documentation under ticket_lifetime and renew_lifetime)kinit command has -l and -r options)Bottom line: if your KDC does not serve renewable tickets because max_renewable_life = 0 then clients will have to get a new ticket every max_life (or less, if their local ticket_lifetime is smaller).
PS: if the ticket is stored in the default cache then you can use klist to check the end-of-(renewable)-life time.
PPS: I remember some complaints about Java API (JAAS) not allowing apps to request renewable Kerberos tickets... Check if it's still the case.