Rob Crittenden wrote:
ok, so we're still talking about any changes to the global ticket
policy, not just using ipa krbtpolicy-reset, which is what I had before.
I'll update this bit and just recommend krb5kdc restart like you say.
David O'Brien wrote:
Dmitri Pal wrote:
On 02/07/2011 06:46 PM, David O'Brien wrote:
Jenny Galipeau wrote:
Pavel Zuna wrote:
It seems that restarting krb5kdc is only needed when changes to the
global policy are made. Per-user policies take effect immediately
for newly requested tickets. Can someone please confirm?
Yes, in testing this is the behavior. If the help could specify that
a ipactl restart is required after global policy change, that would
Please raise a suitable bugzilla to get this included in the user doc.
So far I only have doc about restarting IPA services after ipa
Isn't it the same thing?
I took "changes" to mean using krbtpolicy-mod and any others, not just
-reset, which is the info I received last time.
The bottom line is that any change to the global Kerberos ticket policy
requires a restart of the KDC to see the changes (/sbin/service krb5kdc
restart). IMHO restarting the entire IPA world for this is overkill.
Red Hat Asia Pacific Pty Ltd
+61 7 3514 8189
"He who asks is a fool for five minutes, but he who does not ask remains
a fool forever."
~ Chinese proverb
Freeipa-devel mailing list