Morning David,

Thank you very much for your help.

> first you're mentioning "key expiry" but if I understand correctly you're
> interested in "ticket lifetime".
Yes, want to increase ticket lifetime.
> As mentioned here [1] the ticket lifetime is the minimum of 4 values:
> 1) maxlife for the user principal
> 2) maxlife for the service [principal]
> 3) max_life in the kdc.conf
> 4) requested lifetime in the ticket request
> You've already done 1) (ipa krbtpolicy) and 4) (ticket_lifetime in
> [libdefaults] in /etc/krb5.conf on client).
> To increase 2) you need to change maxlife for krbtgt service. There're two 
> ways
> this ca be done:
> a) modifying krbMaxTicketLife attribute in
> krbPrincipalName=krbtgt/,cn=EXAMPLE.ORG,cn=kerberos,dc=example,dc=org
> b) using kadmin.local:
> # kadmin.local
> Authenticating as principal admin/
> : modprinc -maxlife 10day krbtgt/EXAMPLE.ORG
> Principal "krbtgt/" modified.
> : exit

Will try 2 b and see how it goes

> To increase 3) you need to change 'max_life' in /var/kerberos/krb5kdc/kdc.conf
> and restart krb5kdc service.

okay, wasn't actually aware of this.  Will look at it

> But generally I don't think it's a good idea to have such long tickets. Would
> it make sense in your use case to deploy SSSD on user systems to handle
> Kerberos tickets for them?
I am actually using SSSD on all the systems, even the desktops.  I
agree the changes above aren't ideal and would prefer to get SSSD
working well.  Where would like to avoid this error showing around
every 12 hours.

antimony:  Could not chdir to home directory /home/william: Key has expired


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to