On 07/30/2012 05:00 PM, george he wrote: > Hello all, > I'm trying to change the krb ticket life time for myself, so I used > ipa krbtpolicy-mod MYUSERNAME --maxlife 360000 > but then after I do kinit, my new ticket is still going to expire after 24 > hours, which is the default ticket life, even though > ipa krbtpolicy-show MYUSERNAME > returns > Max life: 360000 > What am I missing? I'm using ipa2.2 on FC17. > Thanks, > George
Hello George, I think there are 2 different things being mixed - maximal lifetime which can configured in IPA (KDC) with the krbtpolicy-mod command you just shown and the lifetime of a ticket that is actually requested. The requested lifetime is by default 24h, as per krb5.conf man page: ticket_lifetime The value of this tag is the default lifetime for initial tickets. The default value for the tag is 1 day (1d). If you change this default value in krb5.conf or specifically kinit with a chosen lifetime, you should get it: # ipa krbtpolicy-mod admin --maxlife 172800 Max life: 172800 # kinit -l 2d # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: ad...@redhat.com Valid starting Expires Service principal 07/31/12 03:00:17 08/02/12 03:00:14 krbtgt/redhat....@redhat.com HTH, Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users