Thank you very much for your help.
> first you're mentioning "key expiry" but if I understand correctly you're
> interested in "ticket lifetime".
Yes, want to increase ticket lifetime.
> As mentioned here  the ticket lifetime is the minimum of 4 values:
> 1) maxlife for the user principal
> 2) maxlife for the service [principal]
> 3) max_life in the kdc.conf
> 4) requested lifetime in the ticket request
> You've already done 1) (ipa krbtpolicy) and 4) (ticket_lifetime in
> [libdefaults] in /etc/krb5.conf on client).
> To increase 2) you need to change maxlife for krbtgt service. There're two
> this ca be done:
> a) modifying krbMaxTicketLife attribute in
> b) using kadmin.local:
> # kadmin.local
> Authenticating as principal admin/ad...@example.org
> : modprinc -maxlife 10day krbtgt/EXAMPLE.ORG
> Principal "krbtgt/example....@example.org" modified.
> : exit
Will try 2 b and see how it goes
> To increase 3) you need to change 'max_life' in /var/kerberos/krb5kdc/kdc.conf
> and restart krb5kdc service.
okay, wasn't actually aware of this. Will look at it
> But generally I don't think it's a good idea to have such long tickets. Would
> it make sense in your use case to deploy SSSD on user systems to handle
> Kerberos tickets for them?
I am actually using SSSD on all the systems, even the desktops. I
agree the changes above aren't ideal and would prefer to get SSSD
working well. Where would like to avoid this error showing around
every 12 hours.
antimony: Could not chdir to home directory /home/william: Key has expired
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project