On Thu, Feb 16, 2017 at 07:54:47AM -0500, William Muriithi wrote:
> Morning David,
> 
> Thank you very much for your help.
> 
> > first you're mentioning "key expiry" but if I understand correctly you're
> > interested in "ticket lifetime".
> Yes, want to increase ticket lifetime.
> >
> > As mentioned here [1] the ticket lifetime is the minimum of 4 values:
> > 1) maxlife for the user principal
> > 2) maxlife for the service [principal]
> > 3) max_life in the kdc.conf
> > 4) requested lifetime in the ticket request
> >
> > You've already done 1) (ipa krbtpolicy) and 4) (ticket_lifetime in
> > [libdefaults] in /etc/krb5.conf on client).
> >
> > To increase 2) you need to change maxlife for krbtgt service. There're two 
> > ways
> > this ca be done:
> > a) modifying krbMaxTicketLife attribute in
> > krbPrincipalName=krbtgt/example....@example.org,cn=EXAMPLE.ORG,cn=kerberos,dc=example,dc=org
> > b) using kadmin.local:
> > # kadmin.local
> > Authenticating as principal admin/ad...@example.org
> > : modprinc -maxlife 10day krbtgt/EXAMPLE.ORG
> > Principal "krbtgt/example....@example.org" modified.
> > : exit
> 
> Will try 2 b and see how it goes
> 
> >
> > To increase 3) you need to change 'max_life' in 
> > /var/kerberos/krb5kdc/kdc.conf
> > and restart krb5kdc service.
> >
> 
> okay, wasn't actually aware of this.  Will look at it
> 
> > But generally I don't think it's a good idea to have such long tickets. 
> > Would
> > it make sense in your use case to deploy SSSD on user systems to handle
> > Kerberos tickets for them?
> >
> I am actually using SSSD on all the systems, even the desktops.  I
> agree the changes above aren't ideal and would prefer to get SSSD
> working well.  Where would like to avoid this error showing around
> every 12 hours.
> 
> antimony:  Could not chdir to home directory /home/william: Key has expired
> 
> 
> Regards,
> William

Hello William!

The fact that your desktops are using SSSD changes the situation dramatically.

SSSD (with ipa or krb5 provider) obtains ticket for user when he is logging-in.
And can be configured to renew the ticket for the user until the ticket renew
life time expires. 

Given this you can keep ticket life time reasonable short (~1 day) set ticket
renewable life time to longer period (~2 weeks) and maintain reasonable
security level without negative impact on user's daily work.

Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options
in sssd-krb5 man page.

-- 
David Kupka

Attachment: signature.asc
Description: PGP signature

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to