On 16-12-2020 16:03, Alexander Bokovoy wrote: > On ke, 16 joulu 2020, Kees Bakker via FreeIPA-users wrote: >> On 16-12-2020 14:59, François Cami wrote: >>> On Wed, Dec 16, 2020 at 2:53 PM Kees Bakker <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Thanks for the pointer. A bit old, but probably still relevant. >>> >>> Anyway, I was thinking that the following may be the cause of >>> my observation. I'm now working from home (as many will recognize). >>> My setup is a X2GO connection to the office. The session is kept alive >>> all the time and without a screenlock in that X2GO session. >>> >>> Before I was working in the office, and there I had a screenlock as soon >>> as I left my desk. I'm guessing that the TGT was renewed or newly >>> created >>> when I unlocked the screen. If that is the case then I never noticed an >>> expired TGT. >>> >>> It's just a wild guess. >>> >>> In the mean time I'm going to figure out what the configuration should >>> be >>> to not run into an expired TGT all the time. Of course we have a FreeIPA >>> flavor of it all. In my case: Centos7 for the masters, and Ubuntu for >>> the >>> clients. >>> >>> >>> Look at the client's configuration: >>> https://linux.die.net/man/5/sssd-krb5 >>> krb5_store_password_if_offline >>> krb5_renewable_lifetime >>> krb5_renew_interval >>> >> >> In /etc/sssd/sssd.conf I now have: >> krb5_renewable_lifetime = 60d >> krb5_renew_interval = 6h >> >> The ipa client install already placed krb5_store_password_if_offline=True in >> there. >> >> In /etc/krb5.conf in the [libdefaults] section I have: >> ticket_lifetime = 24h >> default_ccache_name = KEYRING:persistent:%{uid} >> >> On the clients I now see a TGT with flags FRIA. Great. It seems that my >> server >> only allows max 7 days. >> >> renew until 23-12-20 15:18:42, Flags: FRIA >> >> Let's see if this is sufficient. > > If you need longer period to be allowed, you need to modify > /var/kerberos/krb5kdc/kdc.conf and set 'max_life' there. It has to be > done on all IPA replicas. > > The options max_life and max_renewable_life are described in man page > for kdc.conf: > > max_life > (duration string.) Specifies the maximum time period for > which a ticket may be valid in this realm. The default > value is 24 hours. > > max_renewable_life > (duration string.) Specifies the maximum time period > during which a valid ticket may be renewed in this realm. > The default value is 0.
OK How does this relate to the settings in the web GUI, in Policy > Kerberos Ticket Policy? There I have (installation defaults): Max renew (seconds): 604800 (7 days) Max life (seconds): 86400 (24 hours) In /var/kerberos/krb5kdc/kdc.conf (on all replicas) I have: max_life = 7d max_renewable_life = 14d -- Kees _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
