We are currently mostly using RHEL 6 on the clients but IPA is on RHEL
7.3. I am using Kerberos to authenticate NFS mount and its working
fine.  However, there is a lot of users who are complaining that its
causing too much problems.  They are all related to key expiry

I have looked at how to rectify this and noticed that the only
solution with RHEL 6 is to increase the time the key is valid.
However, it hasn't worked, the key lifetime remains a day and maximum
lifetime of 7 days.

These are the changes I have made so far:

Changed the policy on IPA:

[root@lithium ~]# ipa krbtpolicy-show
  Max life: 15552000
  Max renew: 25552000
[root@lithium ~]#

Changed kerberos configuration:

  default_realm = ENG.EXAMPLE.COM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 4320h
  forwardable = yes
  udp_preference_limit = 0

Changed sssd configurations:


krb5_renewable_lifetime = 180d
krb5_renew_interval = 3600
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = eng.example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = platinum.eng.example.com
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, lithium.eng.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
autofs_provider = ipa
ipa_automount_location = default
services = nss, sudo, pam, autofs, ssh

domains = eng.example.com
homedir_substring = /home

None have lead to any difference as seem below.  What would I be missing?

Ticket cache: FILE:/tmp/krb5cc_782_L8aH9N
Default principal: will...@eng.example.com

Valid starting     Expires            Service principal
02/15/17 13:17:11  02/22/17 13:17:11  krbtgt/eng.example....@eng.example.com
        renew until 03/01/17 13:17:11


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to