On 07/30/2012 05:00 PM, george he wrote:
> Hello all,
> I'm trying to change the krb ticket life time for myself, so I used
> ipa krbtpolicy-mod MYUSERNAME --maxlife 360000
> but then after I do kinit, my new ticket is still going to expire after 24
> hours, which is the default ticket life, even though
> ipa krbtpolicy-show MYUSERNAME
> returns
>   Max life: 360000
> What am I missing? I'm using ipa2.2 on FC17.
> Thanks,
> George

Hello George,

I think there are 2 different things being mixed - maximal lifetime which can
configured in IPA (KDC) with the krbtpolicy-mod command you just shown and the
lifetime of a ticket that is actually requested.

The requested lifetime is by default 24h, as per krb5.conf man page:

              The  value  of this tag is the default lifetime for initial
              tickets.  The default value for the tag is 1 day (1d).

If you change this default value in krb5.conf or specifically kinit with a
chosen lifetime, you should get it:

# ipa krbtpolicy-mod admin --maxlife 172800
  Max life: 172800

# kinit -l 2d

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ad...@redhat.com

Valid starting     Expires            Service principal
07/31/12 03:00:17  08/02/12 03:00:14  krbtgt/redhat....@redhat.com


Freeipa-users mailing list

Reply via email to