David

>
> The fact that your desktops are using SSSD changes the situation dramatically.
>
> SSSD (with ipa or krb5 provider) obtains ticket for user when he is 
> logging-in.
> And can be configured to renew the ticket for the user until the ticket renew
> life time expires.
>
> Given this you can keep ticket life time reasonable short (~1 day) set ticket
> renewable life time to longer period (~2 weeks) and maintain reasonable
> security level without negative impact on user's daily work.
>
> Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options
> in sssd-krb5 man page.
>
Thanks a lot.  I did actually end up using this.   Will wait for a
couple of days and see if anybody if the situation is better and
update you.

Curious though, why isn't renewal interval setup by default?  Is there
a negative consequence of having SSSD renewing tickets by default?  I
can't think of any and hence a bit lost on explaining the default
setup
> --
Regards,
William

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to