On Thu, Feb 16, 2017 at 06:05:48PM -0500, William Muriithi wrote:
> David
> >
> > The fact that your desktops are using SSSD changes the situation 
> > dramatically.
> >
> > SSSD (with ipa or krb5 provider) obtains ticket for user when he is 
> > logging-in.
> > And can be configured to renew the ticket for the user until the ticket 
> > renew
> > life time expires.
> >
> > Given this you can keep ticket life time reasonable short (~1 day) set 
> > ticket
> > renewable life time to longer period (~2 weeks) and maintain reasonable
> > security level without negative impact on user's daily work.
> >
> > Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options
> > in sssd-krb5 man page.
> >
> Thanks a lot.  I did actually end up using this.   Will wait for a
> couple of days and see if anybody if the situation is better and
> update you.
> Curious though, why isn't renewal interval setup by default?  Is there
> a negative consequence of having SSSD renewing tickets by default?  I
> can't think of any and hence a bit lost on explaining the default
> setup
> > --
> Regards,
> William

Honestly, I don't know why krb5_renew_interval isn't set by default.

My wild guess would be that in typical SSSD deployment user logs-in in the
begining of work day, SSSD gets ticket that last for a day for him and he
logs-out in the end of the workday (after 8~10 hours). So there's no need to
refresh it.

But feel free to open a ticket for SSSD [1] and describe you use case. I don't
know SSSD that well and maybe there's no reason against setting it by default.

[1] https://fedorahosted.org/sssd/newticket

David Kupka

Attachment: signature.asc
Description: PGP signature

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to