On Thu, Feb 16, 2017 at 06:05:48PM -0500, William Muriithi wrote: > David > > > > > > The fact that your desktops are using SSSD changes the situation > > dramatically. > > > > SSSD (with ipa or krb5 provider) obtains ticket for user when he is > > logging-in. > > And can be configured to renew the ticket for the user until the ticket > > renew > > life time expires. > > > > Given this you can keep ticket life time reasonable short (~1 day) set > > ticket > > renewable life time to longer period (~2 weeks) and maintain reasonable > > security level without negative impact on user's daily work. > > > > Look for krb5_renew_interval, krb5_lifetime, krb5_renewable_lifetime options > > in sssd-krb5 man page. > > > Thanks a lot. I did actually end up using this. Will wait for a > couple of days and see if anybody if the situation is better and > update you. > > Curious though, why isn't renewal interval setup by default? Is there > a negative consequence of having SSSD renewing tickets by default? I > can't think of any and hence a bit lost on explaining the default > setup > > -- > Regards, > William
Honestly, I don't know why krb5_renew_interval isn't set by default. My wild guess would be that in typical SSSD deployment user logs-in in the begining of work day, SSSD gets ticket that last for a day for him and he logs-out in the end of the workday (after 8~10 hours). So there's no need to refresh it. But feel free to open a ticket for SSSD [1] and describe you use case. I don't know SSSD that well and maybe there's no reason against setting it by default. [1] https://fedorahosted.org/sssd/newticket -- David Kupka
signature.asc
Description: PGP signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
