Thank you, Martin. This helps.
George



>________________________________
> From: Martin Kosek <mko...@redhat.com>
>To: george he <george_...@yahoo.com> 
>Cc: "freeipa-users@redhat.com" <freeipa-users@redhat.com> 
>Sent: Tuesday, July 31, 2012 3:04 AM
>Subject: Re: [Freeipa-users] ipa krbtpolicy-mod --maxlife
> 
>On 07/30/2012 05:00 PM, george he wrote:
>> Hello all,
>> I'm trying to change the krb ticket life time for myself, so I used
>> ipa krbtpolicy-mod MYUSERNAME --maxlife 360000
>> but then after I do kinit, my new ticket is still going to expire after 24
>> hours, which is the default ticket life, even though
>> ipa krbtpolicy-show MYUSERNAME
>> returns
>>   Max life: 360000
>> What am I missing? I'm using ipa2.2 on FC17.
>> Thanks,
>> George
>
>Hello George,
>
>I think there are 2 different things being mixed - maximal lifetime which can
>configured in IPA (KDC) with the krbtpolicy-mod command you just shown and the
>lifetime of a ticket that is actually requested.
>
>The requested lifetime is by default 24h, as per krb5.conf man page:
>
>       ticket_lifetime
>              The  value  of this tag is the default lifetime for initial
>              tickets.  The default value for the tag is 1 day (1d).
>
>If you change this default value in krb5.conf or specifically kinit with a
>chosen lifetime, you should get it:
>
># ipa krbtpolicy-mod admin --maxlife 172800
>  Max life: 172800
>
># kinit -l 2d
>
># klist
>Ticket cache: FILE:/tmp/krb5cc_0
>Default principal: ad...@redhat.com
>
>Valid starting     Expires            Service principal
>07/31/12 03:00:17  08/02/12 03:00:14  krbtgt/redhat....@redhat.com
>
>HTH,
>Martin
>
>
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to