On ke, 16 joulu 2020, Kees Bakker via FreeIPA-users wrote:
On 16-12-2020 16:03, Alexander Bokovoy wrote:
On ke, 16 joulu 2020, Kees Bakker via FreeIPA-users wrote:
On 16-12-2020 14:59, François Cami wrote:
On Wed, Dec 16, 2020 at 2:53 PM Kees Bakker <[email protected]
<mailto:[email protected]>> wrote:
Thanks for the pointer. A bit old, but probably still relevant.
Anyway, I was thinking that the following may be the cause of
my observation. I'm now working from home (as many will recognize).
My setup is a X2GO connection to the office. The session is kept alive
all the time and without a screenlock in that X2GO session.
Before I was working in the office, and there I had a screenlock as soon
as I left my desk. I'm guessing that the TGT was renewed or newly created
when I unlocked the screen. If that is the case then I never noticed an
expired TGT.
It's just a wild guess.
In the mean time I'm going to figure out what the configuration should be
to not run into an expired TGT all the time. Of course we have a FreeIPA
flavor of it all. In my case: Centos7 for the masters, and Ubuntu for the
clients.
Look at the client's configuration:
https://linux.die.net/man/5/sssd-krb5
krb5_store_password_if_offline
krb5_renewable_lifetime
krb5_renew_interval
In /etc/sssd/sssd.conf I now have:
krb5_renewable_lifetime = 60d
krb5_renew_interval = 6h
The ipa client install already placed krb5_store_password_if_offline=True in
there.
In /etc/krb5.conf in the [libdefaults] section I have:
ticket_lifetime = 24h
default_ccache_name = KEYRING:persistent:%{uid}
On the clients I now see a TGT with flags FRIA. Great. It seems that my server
only allows max 7 days.
renew until 23-12-20 15:18:42, Flags: FRIA
Let's see if this is sufficient.
If you need longer period to be allowed, you need to modify
/var/kerberos/krb5kdc/kdc.conf and set 'max_life' there. It has to be
done on all IPA replicas.
The options max_life and max_renewable_life are described in man page
for kdc.conf:
max_life
(duration string.) Specifies the maximum time period for
which a ticket may be valid in this realm. The default
value is 24 hours.
max_renewable_life
(duration string.) Specifies the maximum time period
during which a valid ticket may be renewed in this realm.
The default value is 0.
OK
How does this relate to the settings in the web GUI, in Policy > Kerberos
Ticket Policy?
That defines a policy which apllies within the defaults of KDC (in
kdc.conf). When KDC calculates end ticket time, it cuts off the proposed
ticket time (proposed by a client and checked by the KDC driver after
applying policies) by this limit.
There I have (installation defaults):
Max renew (seconds): 604800 (7 days)
Max life (seconds): 86400 (24 hours)
In /var/kerberos/krb5kdc/kdc.conf (on all replicas) I have:
max_life = 7d
max_renewable_life = 14d
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
