Hello We are currently mostly using RHEL 6 on the clients but IPA is on RHEL 7.3. I am using Kerberos to authenticate NFS mount and its working fine. However, there is a lot of users who are complaining that its causing too much problems. They are all related to key expiry
I have looked at how to rectify this and noticed that the only solution with RHEL 6 is to increase the time the key is valid. However, it hasn't worked, the key lifetime remains a day and maximum lifetime of 7 days. These are the changes I have made so far: Changed the policy on IPA: [root@lithium ~]# ipa krbtpolicy-show Max life: 15552000 Max renew: 25552000 [root@lithium ~]# Changed kerberos configuration: [libdefaults] default_realm = ENG.EXAMPLE.COM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 4320h forwardable = yes udp_preference_limit = 0 Changed sssd configurations: [domain/eng.example.com] krb5_renewable_lifetime = 180d krb5_renew_interval = 3600 cache_credentials = True krb5_store_password_if_offline = True ipa_domain = eng.example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = platinum.eng.example.com chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, lithium.eng.example.com ldap_tls_cacert = /etc/ipa/ca.crt autofs_provider = ipa ipa_automount_location = default [sssd] services = nss, sudo, pam, autofs, ssh domains = eng.example.com [nss] homedir_substring = /home None have lead to any difference as seem below. What would I be missing? Ticket cache: FILE:/tmp/krb5cc_782_L8aH9N Default principal: [email protected] Valid starting Expires Service principal 02/15/17 13:17:11 02/22/17 13:17:11 krbtgt/[email protected] renew until 03/01/17 13:17:11 Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
