> The fact that your desktops are using SSSD changes the situation dramatically.
> SSSD (with ipa or krb5 provider) obtains ticket for user when he is 
> logging-in.
> And can be configured to renew the ticket for the user until the ticket renew
> life time expires.
> Given this you can keep ticket life time reasonable short (~1 day) set ticket
> renewable life time to longer period (~2 weeks) and maintain reasonable
> security level without negative impact on user's daily work.
> Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options
> in sssd-krb5 man page.
Thanks a lot.  I did actually end up using this.   Will wait for a
couple of days and see if anybody if the situation is better and
update you.

Curious though, why isn't renewal interval setup by default?  Is there
a negative consequence of having SSSD renewing tickets by default?  I
can't think of any and hence a bit lost on explaining the default
> --

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to