Thank you very much.
Reading the docs at the right page is really helpful :-) :
The value requested by the client is compared to the --maxlife setting of the
user_name-specific Kerberos ticket policies if these policies
exist, and the lower value of the two is selected. If user_name-specific
Kerberos ticket policies do not exist, the value sent by the client
is compared to the --maxlife setting of the Global Kerberos ticket policy,
and the lower value of the two is selected. For details on global
and user-specific Kerberos ticket policies, see Section 29.1.2, “Global and
User-specific Kerberos Ticket Policies”.
The value selected in the previous step is compared to two other values:
The value of the max_life setting in the /var/kerberos/krb5kdc/kdc.conf file
The value set in the krbMaxTicketLife attribute of the LDAP entry with the
distinguished name (DN):
krbPrincipalName=krbtgt/REALM_NAME@REALM_NAME,cn=REALM_NAME,cn=kerberos,domain_name
The lowest of the three values is ultimately selected for the lifetime of the
Kerberos ticket granted to user_name.
You have to check three places! And the most important hint is the last
sentence: The lowest value wins!
So with IPA GUI you cannot set a value higher as in kdc.conf and LDAP.
Thank you for the help.
Detlev
--
Detlev | Institut fuer Mikroelektronische Systeme
Habicht | D-30167 Hannover +49 511 76219662 [email protected]
--------+-------- Handy +49 172 5415752 ---------------------------
> Am 02.01.2020 um 17:34 schrieb Florence Blanc-Renaud via FreeIPA-users
> <[email protected]>:
>
> Hi,
>
> please have a look at the documentation [1]. There are multiple levels where
> the ticket max life/max renew can be defined and the doc explains the various
> settings that must be taken into account.
>
> Hope this clarifies,
> flo
>
> [1]
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/kerberos#kerberos-policies
>
> On 1/2/20 4:59 PM, Dirk Streubel via FreeIPA-users wrote:
>> Hello Detlev,
>> i have made this:
>> ipa krbtpolicy-mod --maxlife=43200 --maxrenew=604800
>> and the result is this:
>> Standard-Principal: dirk@XXX
>> Valid starting Expires Service principal
>> 02.01.2020 16:53:29 03.01.2020 04:53:29 krbtgt/XXX@XXX
>> erneuern bis 03.01.2020 16:53:21
>> Is this what you wanted to see?
>> When i set the maxlife to 7 days i can only see the expire Date.
>> I don't know why and i must say i am not a "Kerberos Master" :)
>> Regards
>> Dirk
>> Am 02.01.20 um 16:13 schrieb Detlev Habicht via FreeIPA-users:
>>> Yes … i can do this too …
>>>
>>> But see you this value also with klist???
>>>
>>> Greetings
>>>
>>> Detlev
>>>
>>> --
>>> Detlev | Institut fuer Mikroelektronische Systeme
>>> Habicht | D-30167 Hannover +49 511 76219662 [email protected]
>>> --------+-------- Handy +49 172 5415752 ---------------------------
>>>
>>>
>>>
>>>> Am 02.01.2020 um 16:03 schrieb Dirk Streubel <[email protected]>:
>>>>
>>>> Hello Detlev,
>>>>
>>>> i have set the "Max renew to 1814400 seconds without any Problems in the
>>>> GUI.
>>>>
>>>> And ipa krbtpolicy-show --all shows me this:
>>>>
>>>> Max life: 86400
>>>> Max renew: 18144000
>>>>
>>>> I set the new "Max renew" and save it, nothing more :)
>>>>
>>>>
>>>> Regards
>>>>
>>>> Dirk
>>>>
>>>>
>>>> Am 02.01.20 um 15:39 schrieb Detlev Habicht via FreeIPA-users:
>>>>> Hello,
>>>>>
>>>>> when i want to set the Kerberos policy via IPA GUI for tickets, i have
>>>>> two parameters:
>>>>>
>>>>> Max renew
>>>>> Max life
>>>>>
>>>>> „Max life“ is working for me as expected.
>>>>>
>>>>> But it seems, that „Max renew“ has a value with a maximum for 14 days (of
>>>>> course i set it in seconds).
>>>>> Is this true?
>>>>>
>>>>> What can i do to set a value higher than 14 days?
>>>>>
>>>>> Thank you for any help!
>>>>>
>>>>> Detlev
>>>>>
>>>>> P.S.: We need a high value for simulations …
>>>>>
>>>>> --
>>>>> Detlev | Institut fuer Mikroelektronische Systeme
>>>>> Habicht | D-30167 Hannover +49 511 76219662 [email protected]
>>>>> --------+-------- Handy +49 172 5415752 ---------------------------
>>>>> _______________________________________________
>>>>> FreeIPA-users mailing list -- [email protected]
>>>>> To unsubscribe send an email to [email protected]
>>>>> Fedora Code of Conduct:
>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>>> List Archives:
>>>>> https://lists.fedorahosted.org/archives/list/[email protected]
>>> _______________________________________________
>>> FreeIPA-users mailing list -- [email protected]
>>> To unsubscribe send an email to [email protected]
>>> Fedora Code of Conduct:
>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>> https://lists.fedorahosted.org/archives/list/[email protected]
>> _______________________________________________
>> FreeIPA-users mailing list -- [email protected]
>> To unsubscribe send an email to [email protected]
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/[email protected]
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
