On Thu, Feb 16, 2017 at 07:54:47AM -0500, William Muriithi wrote: > Morning David, > > Thank you very much for your help. > > > first you're mentioning "key expiry" but if I understand correctly you're > > interested in "ticket lifetime". > Yes, want to increase ticket lifetime. > > > > As mentioned here [1] the ticket lifetime is the minimum of 4 values: > > 1) maxlife for the user principal > > 2) maxlife for the service [principal] > > 3) max_life in the kdc.conf > > 4) requested lifetime in the ticket request > > > > You've already done 1) (ipa krbtpolicy) and 4) (ticket_lifetime in > > [libdefaults] in /etc/krb5.conf on client). > > > > To increase 2) you need to change maxlife for krbtgt service. There're two > > ways > > this ca be done: > > a) modifying krbMaxTicketLife attribute in > > krbPrincipalName=krbtgt/[email protected],cn=EXAMPLE.ORG,cn=kerberos,dc=example,dc=org > > b) using kadmin.local: > > # kadmin.local > > Authenticating as principal admin/[email protected] > > : modprinc -maxlife 10day krbtgt/EXAMPLE.ORG > > Principal "krbtgt/[email protected]" modified. > > : exit > > Will try 2 b and see how it goes > > > > > To increase 3) you need to change 'max_life' in > > /var/kerberos/krb5kdc/kdc.conf > > and restart krb5kdc service. > > > > okay, wasn't actually aware of this. Will look at it > > > But generally I don't think it's a good idea to have such long tickets. > > Would > > it make sense in your use case to deploy SSSD on user systems to handle > > Kerberos tickets for them? > > > I am actually using SSSD on all the systems, even the desktops. I > agree the changes above aren't ideal and would prefer to get SSSD > working well. Where would like to avoid this error showing around > every 12 hours. > > antimony: Could not chdir to home directory /home/william: Key has expired > > > Regards, > William
Hello William! The fact that your desktops are using SSSD changes the situation dramatically. SSSD (with ipa or krb5 provider) obtains ticket for user when he is logging-in. And can be configured to renew the ticket for the user until the ticket renew life time expires. Given this you can keep ticket life time reasonable short (~1 day) set ticket renewable life time to longer period (~2 weeks) and maintain reasonable security level without negative impact on user's daily work. Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options in sssd-krb5 man page. -- David Kupka
signature.asc
Description: PGP signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
