David
> > The fact that your desktops are using SSSD changes the situation dramatically. > > SSSD (with ipa or krb5 provider) obtains ticket for user when he is > logging-in. > And can be configured to renew the ticket for the user until the ticket renew > life time expires. > > Given this you can keep ticket life time reasonable short (~1 day) set ticket > renewable life time to longer period (~2 weeks) and maintain reasonable > security level without negative impact on user's daily work. > > Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options > in sssd-krb5 man page. > Thanks a lot. I did actually end up using this. Will wait for a couple of days and see if anybody if the situation is better and update you. Curious though, why isn't renewal interval setup by default? Is there a negative consequence of having SSSD renewing tickets by default? I can't think of any and hence a bit lost on explaining the default setup > -- Regards, William -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
