Rob Crittenden wrote:
David O'Brien wrote:
Dmitri Pal wrote:
On 02/07/2011 06:46 PM, David O'Brien wrote:
Jenny Galipeau wrote:
Pavel Zuna wrote:
It seems that restarting krb5kdc is only needed when changes to the
global policy are made. Per-user policies take effect immediately
for newly requested tickets. Can someone please confirm?
Yes, in testing this is the behavior. If the help could specify that
a ipactl restart is required after global policy change, that would
be great.

Please raise a suitable bugzilla to get this included in the user doc.
So far I only have doc about restarting IPA services after ipa

Isn't it the same thing?

I took "changes" to mean using krbtpolicy-mod and any others, not just
-reset, which is the info I received last time.

The bottom line is that any change to the global Kerberos ticket policy requires a restart of the KDC to see the changes (/sbin/service krb5kdc restart). IMHO restarting the entire IPA world for this is overkill.

ok, so we're still talking about any changes to the global ticket policy, not just using ipa krbtpolicy-reset, which is what I had before. I'll update this bit and just recommend krb5kdc restart like you say.



David O'Brien
Red Hat Asia Pacific Pty Ltd
+61 7 3514 8189

"He who asks is a fool for five minutes, but he who does not ask remains a fool forever."
 ~ Chinese proverb

Freeipa-devel mailing list

Reply via email to