Thank you, Martin. This helps.
> From: Martin Kosek <mko...@redhat.com>
>To: george he <george_...@yahoo.com>
>Cc: "email@example.com" <firstname.lastname@example.org>
>Sent: Tuesday, July 31, 2012 3:04 AM
>Subject: Re: [Freeipa-users] ipa krbtpolicy-mod --maxlife
>On 07/30/2012 05:00 PM, george he wrote:
>> Hello all,
>> I'm trying to change the krb ticket life time for myself, so I used
>> ipa krbtpolicy-mod MYUSERNAME --maxlife 360000
>> but then after I do kinit, my new ticket is still going to expire after 24
>> hours, which is the default ticket life, even though
>> ipa krbtpolicy-show MYUSERNAME
>> Max life: 360000
>> What am I missing? I'm using ipa2.2 on FC17.
>I think there are 2 different things being mixed - maximal lifetime which can
>configured in IPA (KDC) with the krbtpolicy-mod command you just shown and the
>lifetime of a ticket that is actually requested.
>The requested lifetime is by default 24h, as per krb5.conf man page:
> The value of this tag is the default lifetime for initial
> tickets. The default value for the tag is 1 day (1d).
>If you change this default value in krb5.conf or specifically kinit with a
>chosen lifetime, you should get it:
># ipa krbtpolicy-mod admin --maxlife 172800
> Max life: 172800
># kinit -l 2d
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: ad...@redhat.com
>Valid starting Expires Service principal
>07/31/12 03:00:17 08/02/12 03:00:14 krbtgt/redhat....@redhat.com
Freeipa-users mailing list