> The fact that your desktops are using SSSD changes the situation dramatically.
> SSSD (with ipa or krb5 provider) obtains ticket for user when he is
> And can be configured to renew the ticket for the user until the ticket renew
> life time expires.
> Given this you can keep ticket life time reasonable short (~1 day) set ticket
> renewable life time to longer period (~2 weeks) and maintain reasonable
> security level without negative impact on user's daily work.
> Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options
> in sssd-krb5 man page.
Thanks a lot. I did actually end up using this. Will wait for a
couple of days and see if anybody if the situation is better and
Curious though, why isn't renewal interval setup by default? Is there
a negative consequence of having SSSD renewing tickets by default? I
can't think of any and hence a bit lost on explaining the default
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project